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PROTECTING MARITIME FACILITIES IN THE 
21ST CENTURY: ARE OUR NATION’S PORTS 
AT RISK FOR A CYBER ATTACK? 


Thursday, October 8, 2015 

U.S. House of Representatives, 

Committee on Homeland Security, 
Subcommittee on Border and Maritime Security, 

Washington, DC. 

The subcommittee met, pursuant to call, at 10:02 a.m., in Room 
311, Cannon House Office Building, Hon. Candice S. Miller [Chair- 
man of the subcommittee] presiding. 

Present: Representatives Miller, Hurd, Vela, Sanchez, and Jack- 
son Lee. 

Also present: Representatives Donovan, Ratcliffe, and Langevin. 

Mrs. Miller. In the interest of time, we are expecting a number 
of other Members, but we are going to start since we have a hard 
stop today at noon. 

The Committee on Homeland Security’s Subcommittee on Border 
and Maritime Security will come to order. The subcommittee is 
meeting today to examine the cybersecurity efforts at our Nation’s 
ports. We are pleased today to be joined by Admiral Paul Thomas, 
who is the assistant commandant for prevention policy for the 
United States Coast Guard; and Mr. Gregory Wilshusen, director 
of information security issues for the Government Accountability 
Office; Mr. Randy Parsons, who is director of security services for 
the Port of Long Beach, California; and Mr. Jonathan Sawicki, who 
is the security improvement program manager for the Ports of Har- 
lingen and Brownsville, Texas. 

We appreciate all of our witnesses coming this morning. I would 
also at this time ask unanimous consent that the gentleman from 
New York, Mr. Donovan, a Member of the full committee, be al- 
lowed to sit on the dais and participate in today’s hearing as well. 

Without objection, so ordered. 

We appreciate his interest in this subject. 

Before we start, I think all of us certainly offer our thoughts and 
prayers to the family of the 33 crew members of El Faro, which 
was just a very terrible, tragic event that certainly reminds us all 
of the force of Mother Nature. But the Coast Guard men and 
women that went out and performed all the services, the rescues. 
As it goes forward, we certainly thank all of them for their service 
all the time, but there it was on vivid display certainly. 

The purpose of today’s hearing is to examine the vulnerability of 
seaports to cyber attacks and how well-prepared we are to prevent 
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and respond to such an attack. Today, this is going to he the first 
Congressional hearing really convened to examine cyhersecurity at 
our Nation’s ports, which I think is fitting since October actually 
is also National Cyhersecurity Awareness Month. 

The Coast Guard is the Government agency responsible for the 
physical security of our Nation’s port infrastructures. In working 
through the Area Maritime Security Committees, the Coast Guard 
partners with the port authorities and operators to update access 
controls, fence off sensitive areas of the ports, and increase surveil- 
lance, when appropriate, certainly. 

Since 9/11, Congress has appropriated $2.4 billion in port secu- 
rity grant funds to harden port facilities against the potential of a 
terror attack. As a Nation, I think we have done a fairly good job 
of updating the physical security at the ports, but we certainly 
have concerns that remain about whether or not the cyhersecurity 
at our ports is adequate. Under the Maritime Transportation Secu- 
rity Act of 2002, the Coast Guard was granted responsibility for the 
protection of communication systems, including information that 
flows through the maritime transportation system. Port facilities 
and ship operators, like many industries in America, are relying 
certainly increasingly on automation to streamline operations. 

While those kinds of innovations certainly reduce time and lower 
the cost of doing business, they also carry a risk. Terror groups, na- 
tion states, criminal organizations, hackers, and even disgruntled 
employees could breach these systems with potentially catastrophic 
results to the Nation’s economy. More than $1 trillion of goods, 
from cars to oil to corn and everything in between move through 
the Nation’s seaports each and every year. Increasingly, cargo is 
moving through our ports using automated industrial control sys- 
tems. These systems are controlling machinery on ports that move 
containers or fill tanks and load and offload ships. I understand 
that the Port of Long Beach and port partners are working toward 
building, perhaps, the most automated and efficient container ter- 
minal in the United States. So we will be looking forward to that 
testimony from Mr. Parsons about that. 

While this automation certainly has a lot of benefits, it doesn’t 
come without risks. In 2014, a major U.S. port facility suffered a 
system disruption that shut down a significant number of ship-to- 
shore cranes for several hours. In Europe, drug smugglers at- 
tempted to hack into cargo tacking systems to rearrange containers 
and to hide their drugs. Foreign military is suspected of compro- 
mising several systems aboard a commercial ship contracted by the 
U.S. Transportation Control. These breaches in the maritime do- 
main are certainly concerning not only from an economic stand- 
point but because of the dangerous cargo, such as liquified natural 
gas and other certain dangerous cargo that pass through the Na- 
tion’s seaports. If a cyber breach were to occur that tampered with 
the industrial control systems that monitor these cargos, it could 
potentially allow the release of very, very dangerous chemicals. 

The private sector, of course, owns the ports and must clearly 
protect its own interests. However, the Department of Homeland 
Security has to be involved to ensure communication between ports 
Nation-wide. Information sharing will undoubtedly be part of any 
solution that we look to to protect our seaports. We have to have 
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a strategy that looks beyond individual ports. Just as we have 
hardened physical security, we need to do the same in the virtual 
space for systems critical to the maritime transportation system to 
protect against malicious actors. 

The first step in reducing this risk is to conduct risk assess- 
ments. The Coast Guard has not yet conducted cyber risk assess- 
ments, though some individual ports have taken the initiative 
themselves. Port security grants can certainly be a way to help port 
operators make wise choices based on an individual assessment of 
risk. In providing that grant funding, however, we certainly need 
to understand which ports are at risk of a cyber incident. Retooling 
the maritime security risk analysis model to incorporate cyber risks 
is a concept worth exploring further and incorporating it into the 
Port Security Grant Program as well. 

Then, finally, I think we need to better understand how the De- 
partment of Homeland Security, through the National Protection 
and Programs Directorate and the National Cybersecurity and 
Communications Integration Center, interfaces with the U.S. Coast 
Guard’s cyber efforts. This is a very technical field, which may or 
may not be outside of the expertise of the Coast Guard inspector. 
So despite the exposure for proprietary information, we are won- 
dering whether or not third-party validators, authorized by the 
Coast Guard, who would have oversight of such a thing, could they 
review and certify cybersecurity standards. So perhaps there is 
some merit in looking at that model for cybersecurity. We would be 
interested in pursuing that as well. 

I certainly want to thank the witnesses for appearing before us. 
I am going to give you a more formal introduction in just a mo- 
ment. 

But the Chair now recognizes our Ranking Member of the sub- 
committee, the gentleman from Texas, Mr. Vela, for any statement 
that he may have. 

[The statement of Chairman Miller follows:] 

Statement of Chairman Candice S. Miller 

Before we start, I would just like to offer my thoughts and prayers to the family 
of the 33 crewmembers of the El Faro, the cargo container ship that went missing 
last week near the Bahamas. I thank the men and women of the Coast Guard for 
their valiant efforts to find the ship and the missing crew. 

The purpose of today’s hearing is to examine the vulnerability of seaports to cyber 
attacks and how well we are prepared to prevent and respond to such an attack. 

Our meeting today marks the first Congressional hearing convened to examine cy- 
bersecurity at our Nation’s ports, which is fitting since October is also National Cy- 
bersecurity Awareness Month. 

The United States Coast Guard is the Government agency responsible for the 
physical security of our Nation’s port infrastructure. Working through the Area 
Maritime Security Committees, the Coast Guard partners with port authorities and 
operators to update access controls, fence-off sensitive areas of the ports, and in- 
crease surveillance when appropriate. 

Since the terrorist attacks of September 11, 2001, the United States Congress has 
appropriated $2.4 billion dollars in port security grant funds to harden port facilities 
against the potential for a terror attack. As a Nation, we have done a fairly good 
job updating the physical security at ports, but I am concerned that the U.S. Gov- 
ernment has fallen behind when it comes to the cybersecurity of the port. 

Under the Maritime Transportation Security Act of 2002, the U.S. Coast Guard 
was granted responsibility for the protection of communication systems, including 
information that flows through the Marine Transportation System. Port facilities 
and ship operators, like many industries in America, increasingly rely on automa- 
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tion to streamline operations. While those innovations reduce the time it takes to 
stock our shelves, and lower the cost of doing business, they also carry risk. 

Terror groups, nation-states, criminal organizations, hackers and even disgruntled 
employees could breach these systems — with potentially catastrophic results to the 
Nation’s economy. 

More than $1 trillion dollars of goods, from cars to oil to corn and ever 3 dhing in 
between move through the Nation’s seaports every year. 

Increasingly, cargo is moving through our ports using automated industrial con- 
trol systems. These computer systems are controlling machinery on ports to move 
containers, fill tanks and on-load and off-load ships. 

I understand that the Port of Long Beach and port partners are working towards 
building perhaps the most automated and efficient container terminal in the United 
States. Once completed it will reduce wait times at the ports and increase through- 
put. 

While this automation has substantial benefits, it does not come without risks. 
In 2014, a major U.S. port facility suffered a system disruption that shut down a 
significant number of ship-to-shore cranes for several hours. In Europe, drug smug- 
glers attempted to hack into cargo tracking systems to rearrange containers and 
hide their drugs. Similarly, a foreign military is suspected of compromising several 
systems aboard a commercial ship contracted by the U.S. Transportation Command. 

These breaches in the maritime domain are particularly concerning, not only from 
an economic standpoint, but because of the dangerous cargo such as Liquefied Nat- 
ural Gas, and other Certain Dangerous Cargos that also pass through the Nation’s 
seaports. If a cyber breach were to occur that tampered with the industrial control 
systems that monitor these cargos, it could potentially allow the release of harmful 
and dangerous chemicals. 

Despite the fact the GAO has placed cyber security of our Nation’s critical infra- 
structure on the “High Risk” list since 2003, the Coast Guard, and DHS as a whole, 
have been slow to fully engage on cybersecurity efforts at the Nation’s 360 seaports. 

The threat of cyber attack is worrisome to be sure. But when it comes to the mari- 
time domain and the protection of maritime critical infrastructure, who is really in 
charge? 

The private sector owns the ports, and must clearly protect its own interests. 
However, the Department of Homeland Security must be involved to ensure commu- 
nication between ports Nation-wide. Information sharing will undoubtedly be part 
of any solution as we look to protect our seaports and we must have a strategy that 
looks beyond individual ports. 

Just as we have hardened physical security, we need to do the same in the virtual 
space for systems critical to the marine transportation system to protect against ma- 
licious actors. The first step in reducing this risk is to conduct risk assessments. 
The Coast Guard has not yet conducted cyber risk assessments, though some indi- 
vidual ports have taken the initiative themselves. 

Port security grants can be a way to help port operators make wise choices based 
on an individual assessment of risk. In providing grant funding, however, we must 
understand which ports are at risk of a cyber incident. Retooling the Maritime Secu- 
rity Risk Analysis Model to incorporate cyber risks is a concept worth exploring fur- 
ther and incorporating into the port security grant program. 

Finally, I want to better understand how DHS, through the National Protection 
and Programs Directorate (NPPD) and the National Cybersecurity and Communica- 
tion Integration Center, interfaces with the U.S. Coast Guard’s cyber efforts. 

We are all aware that the Government moves slowly and this can cause us to 
quickly fall behind, especially in an area like cyber that moves rapidly. 

With that in mind, should the Coast Guard’s role in cyber be limited to oversight 
and prevention rather than the creation of standards? 

This is a very technical field which may be outside the expertise of a Coast Guard 
Inspector. Therefore, despite the exposure to proprietary information, could third- 
party validators, authorized by the Coast Guard, review and certify cybersecurity 
standards? I think there is merit in looking at that model for cybersecurity and 
would be interested in hearing from the witnesses on that topic. 

I thank the witnesses for appearing before us today and look forward to their tes- 
timony. 

Mr. Vela. Chairman Miller, thank you for holding today’s hear- 
ing to discuss the threat of cyber attack at ports and what the U.S. 
Coast Guard and the Department of Homeland Security are doing 
with private and public partners to protect maritime critical infra- 
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structure against such attacks. I thank all our witnesses for being 
with us here today. 

Since the Coast Guard is responsible for the security of our Na- 
tion’s ports, entities both in the private sector and in local and 
State government rely on the service’s leadership when doing their 
part to mitigate risks at our ports. As Ranking Member of the sub- 
committee and as a Member representing a district along the Gulf 
of Mexico, I have an interest in port security issues and recognize 
the unique challenges each port faces. 

Texas’ District 34 includes four maritime ports — the Port of 
Brownsville, the Port of Harlingen, Port Isabel, and Port Mans- 
field — and is adjacent to the Port of Corpus Christi, which is rep- 
resented by Congressman Farenthold. Each of these ports has its 
own set of characteristics, managing various volumes and types of 
cargo and other commercial traffic. One of the differences is, for ex- 
ample, the Port of Brownsville and the Port of Harlingen are about 
17 miles inland whereas the port of Corpus Christi is right adja- 
cent to a city of 300,000 people. I have met with the chief of police 
at the Port of Corpus Christi. I know he has some concerns about 
some of the vulnerabilities there. I look forward to hearing about 
that. As with other ports, facilitating the flow of commerce must 
be judiciously balanced with measures required to keep our ports 
secure. As in my district, many of our Nation’s ports are closely 
linked to other vital transportation networks and critical infra- 
structure which often lead to major metropolitan areas. 

Traditionally, our focus has been on the physical security of these 
ports. Today, we will discuss an important element that is growing 
and rapidly evolving, the use of technology at ports and the secu- 
rity risks posed by our increased reliance on these automated and 
networked systems. There is no question that technology can en- 
hance the operations and security of seaports which, in turn, helps 
boost economies through the import and export of goods. This tech- 
nology also adds an additional level of risk that we must better un- 
derstand and mitigate. 

Though this subcommittee does not typically discuss cybersecu- 
rity, it is important that we understand the Federal Government’s 
role in this important port security issue. Last June, the Govern- 
ment Accountability Office issued a report on cybersecurity at 
ports. Its findings highlighted several actions the Coast Guard and 
DHS as a whole should take in order to better prepare for and 
ideally prevent cyber attacks on systems used at seaports. In June, 
the Coast Guard published their cyber strategy, which discussed 
the need to include cybersecurity as an element of security regimes 
for maritime critical infrastructure. Today, I hope to better under- 
stand how the GAO’s findings influenced Coast Guard cyber strat- 
egy and how it will help inform implementation of the strategy. 

I would like to learn more about how the Coast Guard is devel- 
oping guidance and standards that will address safety and security 
concerns while being sufficiently flexible for ports around the coun- 
try. There are no one-size-fits-all solutions. What works in Long 
Beach may well not work best for Brownsville, for example. I also 
hope to hear directly from our port witnesses today about how 
ports of different types and sizes are addressing cybersecurity and 
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what more the Coast Guard, DHS, and Congress can do to support 
your efforts. 

I am hopeful that today’s hearing will broaden the subcommit- 
tee’s understanding of the emerging risks related to technology at 
our ports. 

With that, Madam Chairman, I yield back the balance of my 
time. 

Mrs. Miller. I thank the gentleman very much. Members are re- 
minded that additional statements may be submitted for the 
record. 

[The statement of Ranking Member Thompson follows:] 

Statement of Ranking Member Bennie G. Thompson 
October 8, 2015 

The Committee on Homeland Security has long been engaged on the issues of cy- 
bersecurity, port security, and critical infrastructure protection. This hearing brings 
those critical issues together by focusing on cybersecurity at America’s ports. 

A 2014 Government Accountability Office (GAO) report found that actions taken 
by the Department of Homeland Security (DHS) and other Federal agencies to ad- 
dress cybersecurity in the maritime port environment have been limited. So much 
of the focus has been on improving the physical security at ports that cybersecurity 
at ports, an emerging threat, has been secondary. 

In recent years, cyber technology has helped promote efficient port operations and 
enhanced security. But these benefits come with risks to the Maritime Transpor- 
tation System. For example, in 2013, officials at Europol disclosed that a group of 
drug traffickers recruited hackers to breach information technology systems at the 
Port of Antwerp to smuggle container loads of cocaine. 

Our cargo security programs are predicated on electronic transmission of manifest 
data, underscoring the potential risk of such cyber breaches not just from drug 
smugglers, but also other criminals and even terrorists. Requiring the Coast Guard 
to complete a cyber risk assessment and ensure that cyber risks are addressed in 
maritime security plans, as recommended by GAO, is a good first step toward reduc- 
ing cyber vulnerabilities at ports. 

Similarly, allowing Port Security Grant Program funds to be used for cybersecu- 
rity, and ensuring the funds are used effectively, is a step in the right direction. 
The Coast Guard’s June 2015 Cyber Strategy presents cyber space as another oper- 
ational domain for the Service, and sets forth three strategic priorities: Defending 
cyber space, enabling operations, and protecting infrastructure. 

I look forward to hearing from the Coast Guard today about how they intend to 
implement this Strategy, with the help of other Government and private-sector 
stakeholders. I also want to hear from GAO about what more can be done by DHS 
and the Coast Guard in this domain, as Coast Guard implements its strategy. 

Finally, I want to discuss with the ports how we can support their cybersecurity 
efforts, recognizing that each port is different and no single solution is likely to be 
appropriate for all. Certainly, providing ports and other stakeholders, like terminal 
operators and transportation companies, with the appropriate guidance and exper- 
tise will be essential. Adequate resources are also going to be necessary to address 
cybersecurity risks at ports, and Congress must provide those resources and help 
ensure they are used wisely. 

Mrs. Miller. Again, we are pleased to be joined by four very dis- 
tinguished witnesses today to discuss this very important topic. In 
way of a more formal introduction. Rear Admiral Paul Thomas 
serves as the assistant commandant for prevention policy in the 
United States Coast Guard. In this role. Admiral Thomas oversees 
three Coast Guard directorates: Inspections and Compliance; Ma- 
rine Transportation Systems; and Commercial Regulations and 
Standards. In addition to his assignment at the Coast Guard head- 
quarters here in Washington, Admiral Thomas has also served in 
San Francisco, Port Canaveral, Florida, and Galveston, Texas. 
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Mr. Gregory Wilshusen is the director of information security 
issues at GAO, where he leads cybersecurity and privacy-related 
studies and audits of the Federal Government and critical infra- 
structure. He has over 30 years of auditing, financial management, 
and information systems experience, having served at the Depart- 
ment of Education before joining the GAO in 1997. 

Mr. Randy Parsons is the director of security services for the 
Port of Long Beach, California, the Nation’s second-busiest seaport, 
a position that he has held since the fall of 2012. Mr. Parsons over- 
sees more than 80 security personnel, including harbor patrol offi- 
cers. He directs the homeland security program for the 3,000-acre 
port complex, including 24-hour patrol, antiterrorism programs, 
and security coverage. He has a long history of public service, 
which includes time with the FBI and at TSA. Mr. Jonathan 
Sawicki is the security improvement program manager for the 
Ports of Brownsville and Harlingen, Texas, where since 2008, he 
has assisted in the development of port-wide security strategic risk 
management plans, including a TWIG card reader deployment pro- 
gram at the Port of Brownsville. 

So their full written statements will appear in the record. 

The Chair now recognizes Admiral Thomas for his testimony. 
Thank you, sir. 

STATEMENT OF REAR ADMIRAL PAUL F. THOMAS, ASSISTANT 

COMMANDANT, PREVENTION POLICY, U.S. COAST GUARD, 

U.S. DEPARTMENT OF HOMELAND SECURITY 

Admiral Thomas. Thank you. Madam Chairman. Good morning. 
Good morning to the distinguished Members of the committee. 
Thank you for your continued strong support of the Coast Guard 
and for this opportunity to talk about the very important, relevant, 
and timely topic of cyber in the maritime sector. 

Madam Chairman, if I may, before we begin this morning, join 
you in offering, on behalf of all the men and women of the Coast 
Guard, our deepest condolences to the families of the 33 souls that 
were lost aboard El Faro last week. As mariners and maritime pro- 
fessionals, we know only too well the perils that all those who 
serve our Nation at sea face. We felt the loss of El Faro very deep- 
ly- 

Madam Chairman, as has already been mentioned, the Coast 
Guard recently released our cyber strategy. That strategy recog- 
nizes that cyber does not represent a new mission for the Coast 
Guard but is, in fact, a domain in which we must be able to operate 
effectively in order to conduct all of our missions, including our re- 
sponse and our prevention missions. In that sense, the Coast 
Guard authorities, responsibilities, roles, and missions naturally 
extend into cyber space. The cyber strategy identifies three prior- 
ities for our service: Defending our own cyb^er space, enabling Coast 
Guard operations, and protecting critical maritime infrastructure. 

It is this third priority that falls within my purview and the 
Coast Guard and which I understand is of most interest to this 
committee today. The Coast Guard is really well-suited to take a 
leadership role in addressing cyber risks to maritime critical infra- 
structure as part of the larger interagency effort led by the Depart- 
ment of Homeland Security and in conjunction with maritime 
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stakeholders. The Coast Guard, as has already heen mentioned, 
has a long history of working with port partners across the inter- 
agency to mitigate safety, security, and environmental risks to U.S. 
ports. We will take the same approach in the cyher domain. The 
Coast Guard is the sector-specific agency for maritime transpor- 
tation under the National Infrastructure Protection Plan. Whether 
the initiating event occurs in cyher space or in a physical domain, 
the Coast Guard already has broad authority and responsibility 
under the Maritime Transportation Security Act to prevent trans- 
portation security incidents. We have similar authority and respon- 
sibility under a number of statutes to prevent accidents and inci- 
dents that may damage people, property, or the environment. We 
have an existing regulatory structure that requires regulated in- 
dustry to assess safety, security, and environmental risks, and to 
address those risks. 

The Coast Guard has already undertaken significant effort with- 
in the interagency, industry, academia, and with our international 
partners to assess and understand cyber risk in a maritime trans- 
portation system. In the course of this work, we have leveraged the 
expertise that exists at the Department of Homeland Security, the 
Department of Energy, the Department of Defense, the National 
Institute for Standards and Technology to many others. Our ulti- 
mate goal is to incorporate cyber risk management into the existing 
safety and security regimes that have served the maritime industry 
and the American public so well for so long. Of course, in doing so, 
we will remain focused, as we always have, on risk-based perform- 
ance standards that provide flexible, layered protection against 
cyber risks while allowing the benefits of cyber-enabled operations 
in the MTS. 

There is no doubt, it has been mentioned, cyber capabilities that 
make our transportation systems more effective, efficient, produc- 
tive, and environmentally friendly also introduce operational risks 
that now have to be managed effectively. We have already seen in- 
cidents in the maritime transportation system that have resulted 
in physical consequences or significant near misses. In some cases, 
it would appear that these were intentional actions, perhaps by ac- 
tors with malicious intent. But in other cases, they were clearly ac- 
cidents caused by improper use or maintenance of cyber systems. 
That is why cyber is both a safety and a security issue. That is why 
the Coast Guard is holistically addressing cyber risk management 
as just that, a risk management challenge. Thank you for your 
time and attention. I look forward to hearing from the rest of the 
panelists and to further discussion. 

[The prepared statement of Admiral Thomas follows:] 

Prepared Statement of Paul F. Thomas 
October 8, 2015 

INTRODUCTION 

Good morning Madam Chairman and distinguished Members of the committee. I 
am honored to be here to discuss cybersecurity in U.S. ports. I will focus my com- 
ments in three areas. The first is to recognize the importance of cybersecurity and 
then explain cyber safety concerns, which emphasize the need to view this issue as 
a “cyber risk management” challenge. The second is to explain the need for an ap- 
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proach that emphasizes the essential role and responsibilities of maritime industry 
partners. The third is to outline what we have achieved and propose a way forward. 

The Coast Guard has a long history of working with port partners to mitigate 
safety, security, and environmental risks to U.S. ports and maritime critical infra- 
structure. Since our founding in 1790, we have patrolled in the Nation’s ports and 
waterways to prevent and respond to major threats and hazards. Since Congress es- 
tablished the Steamboat Inspection Service in 1852, Coast Guard prevention au- 
thorities have evolved alongside emerging threats and changing port infrastructure. 
The Coast Guard established Captains of the Port to execute these authorities and 
work with our partners to prepare our ports for natural disasters, accidents, and 
deliberate acts. 

Over time, the Coast Guard and the maritime industry have cooperated to ad- 
dress the risks associated with new threats and technologies. Security threats have 
evolved from coastal piracy to complex smuggling operations, transnational orga- 
nized crime, and terrorism. Safety risks have likewise evolved as merchant shipping 
progressed from sailing ships to ships driven by coal-fired steam boilers, to diesel 
engines and most recently to liquefied natural gas. Waterfront operations evolved 
from break bulk cargos to containerization, with sophisticated systems now control- 
ling the movement and tracking of containerized and liquid cargos. 

The Coast Guard’s recently-developed Cyber Strategy proposes three strategic pri- 
orities for the service — defending our own cyber space, enabling Coast Guard oper- 
ations, and protecting maritime critical infrastructure. Cybersecurity in U.S. ports 
is a key goal of this strategy. 

CYBER RISKS AND THE MARINE TRANSPORTATION SYSTEM 

Similar to other sectors, emerging cyber threats in the port environment are di- 
verse and complex. Cyber risks manifest themselves as both safety and security con- 
cerns. As such, the Coast Guard is emphasizing the term “cyber risk management,” 
which also addresses how much the maritime transportation system (MTS) relies on 
information technology systems to connect to the global supply chain. Vessel and fa- 
cility operators use computers and cyber-dependent systems for navigation, commu- 
nications, engineering, cargo, ballast, safety, environmental control, and emergency 
systems such as security monitoring, fire detection, and alarm systems. Collectively 
these systems enable the MTS to operate with an impressive record of efficiency and 
reliability. 

While these information technology systems create benefits, they also introduce 
potential risks. Exploitation, misuse, or simple failure of information technology sys- 
tems can cause injury or death, harm the marine environment, or disrupt vital 
trade activity. 

Outside the United States, cyber-related incidents among technology systems 
have been reported ranging from container terminal operations ashore to offshore 
platform stability and dynamic positioning for offshore supply vessels. While in 
some cases criminals may have been the source of these events, others have been 
the result of non-targeted malware or relatively unsophisticated insider threats. 
Even legitimate functions, such as remotely-driven software updates, can disable 
vital systems if done at the wrong time or under the wrong conditions. 

In one well-publicized event, organized crime exploited a European container ter- 
minal’s cargo tracking system to facilitate drug smuggling. Cargo control is also one 
of the requirements of the Coast Guard’s Maritime Transportation Security Act 
(MTSA) regulations, and we are well aware that such an incident, or one even more 
serious, might occur in the United States. 

“Cyber risk management” also has safety implications. We are aware of incidents 
in which software problems led to the failure of dynamic positioning or navigation 
systems. These were not due to targeted attacks, but malware that migrated to vital 
systems through poor information technology practices. 

As port facilities and vessels continue to incorporate information technology sys- 
tems into their operations, the Coast Guard must adapt its regulatory regime ac- 
cordingly. Regardless of whether an incident is a cyber attack, or a cyber accident, 
we must recognize the potential consequences to mariners, port workers, the public, 
and the marine environment. With approximately 360 sea and river ports that han- 
dle more than $1.3 trillion in annual cargo, our Nation is critically dependent on 
a safe, secure, and efficient MTS. 

UNITY OF EFFORT — PARTNERSHIPS, LEARNING, AND COORDINATION 

The Coast Guard is working closely with the Department of Homeland Security 
(DHS) and other Government agencies to help the maritime industry identify their 
cyber risks. 
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This past March, the Coast Guard sponsored a seminar at the DHS Center of Ex- 
cellence at Rutgers University on maritime cyher risks. We held a similar event at 
the Coast Guard Academy, and a follow-up at the California Maritime Academy to 
address specific cyher research questions. Each of these events included a broad 
range of cyber practitioners from industry. Government, and academia. 

In another effort, the Coast Guard Research and Development Center (supported 
by DHS S&T/Cyber Security Division) recently evaluated cyber vulnerabilities asso- 
ciated with wireless access to maritime critical infrastructure at certain U.S. ports. 
The preliminary results indicate significant vulnerabilities. While this study is rel- 
atively narrow in scope, the Coast Guard is continuing to evaluate the broad range 
of cyber risks in the maritime domain. 

The Coast Guard has also partnered with various groups to evaluate and address 
cyber risks more systematically. Working with the American Association of Port Au- 
thorities and the National Institute of Standards and Technology (NIST), we are de- 
veloping a cyber risk profile for bulk liquid terminals — such as those that transfer 
oil, gasoline, and liquid hazardous materials. 

Another area with potentially significant consequences is the offshore oil and nat- 
ural gas industry. This industry relies on information technology systems for a wide 
variety of functions — from the dynamic positioning systems that allow for precise 
navigation control, even in heavy wind and sea conditions, to real-time monitoring 
of drilling and production activity. Along with senior representatives from industry, 
the Department of Energy, and DHS, I recently attended a meeting of the Energy 
Sector Coordinating Committee in Houston. The exclusive purpose of this meeting 
was to discuss cyber risks. While the potential threats to this industry could be seri- 
ous, I was very pleased with the cooperation and realistic approach that the partici- 
pants expressed. As part of a related effort, the Coast Guard is working with the 
National Offshore Safety Advisory Committee to address cyber risks in the offshore 
industry. 

Our work with other agencies, advisory bodies, and institutions has helped us 
identify the standards and best practices that can reduce risk. The Coast Guard is 
a strong advocate for using effective cybersecurity tools, guidelines, and sources of 
information. These include the Cybersecurity Framework developed by the NIST, 
the Cyber Capability Maturity Model developed by the Department of Energy, and 
the services provided by DHS’s Computer Emergency Response Team (CERT), 
among others. 


INTERNATIONAL CONSIDERATIONS 

Cyber risks are an inherently global issue, and cooperation with international 
partners is an important part of our strategy. Covert electronic surveillance by for- 
eign ships visiting our ports is a long-standing security concern, and cyber tech- 
nology certainly provides new avenues for such activity. Sound cyber practices by 
marine terminals can help minimize the likelihood that they might become victims 
of such activity, or of less nefarious activity that might still impact their business 
or operations. 

Failure to follow sound cyber practices may create as much risk as not conducting 
proper equipment maintenance or adequate crew training for conventional ship- 
board emergencies. Accordingly, the Coast Guard is working within the Inter- 
national Maritime Organization to incorporate cyber risks into Safety Management 
System requirements, as well as the International Ship and Port Facility Security 
(ISPS) Code. While this is a deliberate and lengthy process, we have strong support 
from several nations, including Canada, South Korea, and Japan. 

COAST GUARD ACTIVITIES TO ADDRESS CYBER RISKS IN THE MARINE TRANSPORTATION 

SYSTEM 

The Coast Guard is and has been working to address cyber risks in the Marine 
Transportation System. In 2012, we directed all of our Area Maritime Security Com- 
mittees (AMSC) to consider cyber issues alongside more conventional risks as they 
evaluated potential security risks to their ports. Required by the MTSA, AMSCs are 
public-private partnerships that are chaired by the local Captain of the Port. All 
port stakeholders are represented at their local AMSC, including representatives 
from the Federal, State, and local government, as well as private industry and 
labor. 

Across the country, AMSCs have established cyber subcommittees, evaluated cy- 
bersecurity risks, held cyber-related exercises, and assisted in the evaluation of port 
security grant funding, including grants directed specifically at cybersecurity 
vulnerabilities. AMSCs also serve as a forum to share best practices across Govern- 
ment and industry, such as the FBI’s InfraGard program. 
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Because no amount of effort can guarantee that a cyber incident will not occur, 
the management of cyber risk demands a significant resilience and recovery aspect. 
AMSCs include a recovery annex to their Area Maritime Security Plans and these 
annexes are well-suited to include cyber events as an element in port contingency 
planning. If or when there is a cyber incident in any given port area, our collective 
goal must be to continue safe and secure operations with minimal disruptions. 

CURRENT CHALLENGES AND FUTURE PLANS 

The Coast Guard has made considerable progress in improving our own under- 
standing of cyber risks, as well as improving cyber preparedness in ports and across 
the maritime industry. Despite these accomplishments, we know that significant 
work remains. 

Our ultimate goal is to incorporate cyber risk management into the existing safety 
and security regimes that have served the industry, the Coast Guard, and the public 
so well, for so long. This past January, we held a public meeting to solicit sugges- 
tions on how to best accomplish this goal. We will continue to engage with industry 
and the public as we proceed. 

The complexity of cyber technology, and the fast pace of change, suggest that any 
requirements will need to be risk- and performance-based. That is, rather than man- 
date a specific technical solution, the Coast Guard believes that facility and vessel 
operators should identify and evaluate the vulnerabilities and consequences associ- 
ated with their cyber systems, and put in place an appropriate suite of mitigating 
measures sufficient to achieve an acceptable level of security. This approach has 
served the industry and public well in conventional safety and security risks. Our 
challenge is to devise a methodology suited to the nuances of cyber risk. Of course 
it must produce meaningful results in a way that the vessel or facility operators can 
demonstrate an acceptable level of security to the Coast Guard and other interested 
parties. 

In addition to policy development, we recognize the need to develop our own work- 
force and take other measures to ensure we have the capacity and skills necessary 
to carry out those policies. The Coast Guard Cyber Strategy identifies several fac- 
tors to this end, including training, education, organizational structure, and partner- 
ships. 

In addressing cyber risks to ports and other aspects of the maritime industry, our 
commitment is to address those risks with the same level of professionalism, effi- 
ciency, and effectiveness that the public has come to expect. The Coast Guard will 
continue to adapt, as it has done over the last two centuries, to the challenges and 
opportunities that accompany technological advancements in our operating environ- 
ment. 

Thank you for the opportunity to testify today, and thank you for your continued 
support of the United States Coast Guard. I am pleased to answer your questions. 

Mrs. Miller. Thank you very much. 

The Chair now recognizes Mr. Wilshusen for his testimony. 

STATEMENT OF GREGORY C. WILSHUSEN, DIRECTOR, INFOR- 
MATION SECURITY ISSUES, U.S. GOVERNMENT ACCOUNT- 
ABILITY OFFICE 

Mr. Wilshusen. Chairman Miller, Ranking Member Vela, and 
Members of the subcommittee, thank you for inviting me to testify 
today at today’s hearing on cybersecurity risks facing our Nation’s 
maritime facilities. 

As you know, maritime ports are an essential part of the United 
States transportation critical infrastructure and handle more than 
$1.3 trillion of cargo each year. A major disruption in the maritime 
transportation system could have a significant impact on global 
shipping, international trade, and our National economy. 

Today I will summarize GAO’s report on maritime port cyberse- 
curity that we issued back in June 2014. The report addresses 
cyber-related threats facing our Nation’s ports and the steps the 
U.S. Coast Guard and other stakeholders had taken to address 
cyber risks. But before I began. Madam Chairman, if I may, I 
would like to recognize several teammates who were instrumental 
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in developing my statement and conducting the work underpinning 
it. Mike Gilmore, who is with me today, is an assistant director and 
led this engagement; along with Brad Becker; and Kush Malhotra. 
Lee McCracken, Jennifer Bryant, and Scott Pettis also made sig- 
nificant contributions to this effort. 

Madam Chairman, our Nation and its ports face an evolving 
array of cyber-based threats. The increasing dependence of port ac- 
tivities on computerized information and communication systems to 
manage the movement of cargo makes them vulnerable to many of 
the same threats facing other cyber-reliant critical infrastructure. 
These threats include both targeted and untargeted exploits from 
a variety of sources, including criminal groups, nation-states, and 
state-sponsored entities, and disgruntled insiders. By exploiting 
vulnerabilities in information and communication technology sup- 
porting port operations, cyber adversaries can potentially disrupt 
the flow of commerce, endanger public safety, and facilitate the 
theft of valuable cargo. 

In June 2014, we reported that the Coast Guard and other stake- 
holders had taken limited steps to address cybersecurity at selected 
ports. Specifically, the Coast Guard had not included cyber-related 
risks in its 2012 biannual assessment of risk to the maritime envi- 
ronment. Maritime security plans required by law and regulation 
generally contained very limited information on cyber threats and 
vulnerabilities because the guidance issued by the Coast Guard did 
not require cyber elements to be addressed. 

In addition, the Coast Guard helped to establish information- 
sharing mechanisms. But one of them, a maritime sector coordi- 
nating council comprised of private-sector stakeholders, disbanded 
in 2011, eliminating a National-level forum for sharing and coordi- 
nating information on port security. We also reported that the Fed- 
eral Emergency Management Agency, or FEMA, identified enhanc- 
ing cybersecurity capabilities as a priority for its Port Security 
Grant program. However, its grant review process was not in- 
formed by Coast Guard cybersecurity expertise, thereby increasing 
the risks that the grants were not allocated to projects that would 
effectively enhance port security. 

In our 2014 report, we recommended that the Coast Guard in- 
clude cyber risks in its updated risk assessment for the maritime 
environment, address cyber risks in its guidance for maritime secu- 
rity plans, and consider reestablishing the sector coordinating 
council. We also recommended that FEMA ensure funding decisions 
for its Port Security Grant Program are informed by cybersecurity 
expertise and a comprehensive risk assessment. 

DHS concurred with our recommendations. Since our report was 
issued in 2014, the Coast Guard and FEMA have taken actions to 
partially implement two of our recommendations. In summary, pro- 
tecting our maritime ports from cyber-based threats is of increasing 
importance. While the Coast Guard and FEMA have taken steps, 
more needs to be done to ensure that the Federal and non-Federal 
stakeholders are working together effectively to mitigate these 
threats. Fully implementing our recommendations will help the 
Coast Guard and FEMA achieve this. 
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Chairman Miller, Ranking Member Vela, and Members of this 
committee, this concludes my opening statement. I would be happy 
to answer your questions. 

[The prepared statement of Mr. Wilshusen follows:] 

Prepared Statement of Gregory C. Wilshusen 
October 8, 2015 

GAO HIGHLIGHTS 

Highlights of GAO-16-1 16T, a testimony before the Subcommittee on Border and 
Maritime Security, Committee on Homeland Security, House of Representatives. 

W7iy GAO Did This Study 

The Nation’s maritime ports handle more than $1.3 trillion in cargo each year: 
A disruption at one of these ports could have a significant economic impact. Increas- 
ingly, port operations rely on computerized information and communications tech- 
nologies, which can be vulnerable to cyber-based attacks. Federal entities, including 
DHS’s Coast Guard and FEMA, have responsibilities for protecting ports against 
cyber-related threats. GAO has designated the protection of Federal information 
systems as a Government-wide high-risk area since 1997, and in 2003 expanded this 
to include systems supporting the Nation’s critical infrastructure. 

This statement addresses: (1) Cyber-related threats facing the maritime port envi- 
ronment and (2) steps DHS has taken to address cybersecurity in that environment. 
In preparing this statement, GAO relied on work supporting its June 2014 report 
on cybersecurity at ports. (GAO-14^69) 

What GAO Recommends 

In its June 2014 report on port cybersecurity, GAO recommended that the Coast 
Guard include cyber risks in its updated risk assessment for the maritime environ- 
ment, address cyber risks in its guidance for port security plans, and consider rees- 
tablishing the sector coordinating council. GAO also recommended that FEMA en- 
sure funding decisions for its port security grant program are informed by subject- 
matter expertise and a comprehensive risk assessment. DHS has partially ad- 
dressed two of these recommendations since GAO’s report was issued. 

MARITIME CRITICAL INFRASTRUCTURE PROTECTION. — DHS NEEDS TO ENHANCE EFFORTS 
TO ADDRESS PORT CYBERSECURITY 


What GAO Found 

Similar to other critical infrastructures, the Nation’s ports face an evolving array 
of cyber-based threats. These can come from insiders, criminals, terrorists, or other 
hostile sources and may employ a variety of techniques or exploits, such as denial- 
of-service attacks and malicious software. By exploiting vulnerabilities in informa- 
tion and communications technologies supporting port operations, cyber attacks can 
potentially disrupt the flow of commerce, endanger public safety, and facilitate the 
theft of valuable cargo. 

In its June 2014 report, GAO determined that the Department of Homeland Secu- 
rity (DHS) and other stakeholders had taken limited steps to address cybersecurity 
in the maritime environment. Specifically: 

• DHS’s Coast Guard had not included cyber-related risks in its biennial assess- 
ment of risks to the maritime environment, as called for by Federal policy. Spe- 
cifically, the inputs into the 2012 risk assessment did not include cyber-related 
threats and vulnerabilities. Officials stated that they planned to address this 
gap in the 2014 revision of the assessment. However, when GAO recently re- 
viewed the updated risk assessment, it noted that the assessments did not iden- 
tify vulnerabilities of cyber-related assets, although it identified some cyber 
threats and their potential impacts. 

• The Coast Guard also did not address cyber-related risks in its guidance for de- 
veloping port area and port facility security plans. As a result, port and facility 
security plans that GAO reviewed generally did not include cyber threats or 
vulnerabilities. While Coast Guard officials noted that they planned to update 
the security plan guidance to include cyber-related elements, without a com- 
prehensive risk assessment for the maritime environment, the plans may not 
address all relevant cyber threats and vulnerabilities. 

• The Coast Guard had helped to establish information-sharing mechanisms 
called for by Federal policy, including a sector coordinating council, made up of 
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private-sector stakeholders, and a Government coordinating council, with rep- 
resentation from relevant Federal agencies. However, these bodies shared cyber- 
security-related information to a limited extent, and the sector coordinating 
council was disbanded in 2011. Thus, maritime stakeholders lacked a National- 
level forum for information sharing and coordination. 

• DHS’s Federal Emergency Management Agency (FEMA) identified enhancing 
cybersecurity capabilities as a priority for its port security grant program, 
which is to defray the costs of implementing security measures. However, 
FEMA’s grant review process was not informed by Coast Guard cybersecurity 
subject-matter expertise or a comprehensive assessment of cyber-related risks 
for the port environment. Consequently, there was an increased risk that grants 
were not allocated to projects that would most effectively enhance security at 
the Nation’s ports. 

GAO concluded that until DHS and other stakeholders take additional steps to 
address cybersecurity in the maritime environment — particularly by conducting a 
comprehensive risk assessment that includes cyber threats, vulnerabilities, and po- 
tential impacts — their efforts to help secure the maritime environment may be hin- 
dered. This in turn could increase the risk of a cyber-based disruption with poten- 
tially serious consequences. 

chairman Miller, Ranking Member Vela, and Members of the Subcommittee: 
Thank you for inviting me to testify at today’s hearing on the risks of cyber attacks 
facing our Nation’s maritime facilities. As you know, maritime ports are an essential 
part of the United States’ transportation critical infrastructure. They are an eco- 
nomic engine that handles more than $1.3 trillion in cargo each year. A major dis- 
ruption in the maritime transportation system could have a significant impact on 
global shipping, international trade, and the global economy, as well as posing risks 
to public safety. This risk is heightened by ports’ dependence on computer-reliant 
information and communication systems that may be vulnerable to cyber threats 
from various actors with malicious intent. Because of the increasing prevalence of 
cyber threats, since 1997 we have designated Federal information security as a Gov- 
ernment-wide high-risk area, and in 2003 we expanded this to include the protection 
of systems supporting our Nation’s critical infrastructure. ^ 

In my statement today, I will summarize the results of a report we issued in June 
2014 on the extent to which the Department of Homeland Security (DHS) and other 
stakeholders have addressed cybersecurity in the maritime port environment.^ Spe- 
cifically, I will discuss: (1) Cyber-related threats facing the maritime port environ- 
ment and (2) steps DHS and other stakeholders have taken to address cyber risks 
in the maritime environment, as well as provide updates on actions DHS has taken 
to implement recommendations we made in our report. More detailed information 
on our objective, scope, and methodology for that work can be found in the issued 
report. 

The work on which this testimony is based was conducted in accordance with gen- 
erally-accepted Government auditing standards. Those standards require that we 
plan and perform the audit to obtain sufficient, appropriate evidence to provide a 
reasonable basis for our findings and conclusions based on our audit objectives. We 
believe that the evidence obtained provides a reasonable basis for our findings and 
conclusions based on our audit objectives. 

BACKGROUND 

The United States has approximately 360 commercial sea and river ports that 
handle more than $1.3 trillion in cargo annually. A wide variety of goods travels 
through these ports each day — including automobiles, grain, and millions of cargo 
containers. While no two ports are exactly alike, many share certain characteristics 
such as their size, proximity to a metropolitan area, the volume of cargo they proc- 
ess, and connections to complex transportation networks. These characteristics can 
make them vulnerable to physical security threats. 

Moreover, entities within the maritime port environment are vulnerable to cyber- 
based threats because they rely on various types of information and communications 
technologies to manage the movement of cargo throughout the ports. These tech- 
nologies include: 


1 GAO’s biennial high-risk list identifies Government programs that have greater vulnerability 
to fraud, waste, abuse, and mismanagement or need to address challenges to economy, effi- 
ciency, or effectiveness. See most recently, GAO, High-Risk Series: An Update, GAO— 15-290 
(Washington, DC: Feb. 11, 2015). 

2 GAO, Maritime Critical Infrastructure Protection: DHS Needs to Better Address Port Cyberse- 
curity, GAO-14--459 (Washington, DC: June 5, 2014). 
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• terminal operating systems, which are information systems used to, among 
other things, control container movements and storage; 

• industrial control systems, which facilitate the movement of goods using con- 
veyor belts or pipelines to structures such as refineries, processing plants, and 
storage tanks; 

• business operations systems, such as e-mail and file servers, enterprise re- 
sources planning systems, networking equipment, phones, and fax machines, 
which support the business operations of the terminal; and 

• access control and monitoring systems, such as camera surveillance systems 
and electronically-enabled physical access control devices, which support a 
port’s physical security and protect sensitive areas. 

All of these systems are potentially vulnerable to cyber-based attacks and other 
threats, which could disrupt operations at a port. 

Federal Policies and Laws Establish Requirements and Responsibilities for Pro- 
tecting Maritime Critical Infrastructure 

While port owners and operators are responsible for the cybersecurity of their op- 
erations, Federal agencies have specific roles and responsibilities for supporting 
these efforts. The National Infrastructure Protection Plan (NIPP) establishes a risk 
management framework to address the risks posed by cyber, human, and physical 
elements of critical infrastructure. It details the roles and responsibilities of DHS 
in protecting the Nation’s critical infrastructures; identifies agencies that have lead 
responsibility for coordinating with Federally-designated critical infrastructure sec- 
tors (maritime is a component of one of these sectors — the transportation sector); 
and specifies how other Federal, State, regional, local. Tribal, territorial, and pri- 
vate-sector stakeholders should use risk-management principles to prioritize protec- 
tion activities within and across sectors. 

The NIPP establishes a framework for operating and sharing information across 
and between Federal and non-Federal stakeholders within each sector. These coordi- 
nation activities are carried out through sector-coordinating councils and Govern- 
ment-coordinating councils. Further, under the NIPP, each critical infrastructure 
sector is to develop a sector-specific plan that details the application of the NIPP 
risk management framework to the sector. As the sector-specific agency for the mar- 
itime mode of the transportation sector, the Coast Guard is to coordinate protective 
programs and resilience strategies for the maritime environment. 

Further, Executive Order 13636, issued in February 2013, calls for various actions 
to improve the cybersecurity of critical infrastructure.^ These include developing a 
cybersecurity framework; increasing the volume, timeliness, and quality of cyber 
threat information shared with the U.S. private sector; considering prioritized ac- 
tions within each sector to promote cybersecurity; and identifying critical infrastruc- 
ture for which a cyber incident could have a catastrophic impact. 

More recently, the Cybersecurity Enhancement Act of 2014 further refined pub- 
lic-private collaboration on critical infrastructure cybersecurity by authorizing the 
National Institute of Standards and Technology to facilitate and support the devel- 
opment of a voluntary set of standards, guidelines, methodologies, and procedures 
to cost-effectively reduce cyber risks to critical infrastructure. 

In addition to these cyber-related policies and law, there are laws and regulations 
governing maritime security. One of the primary laws is the Maritime Transpor- 
tation Security Act of 2002 (MTSA) ® which, along with its implementing regulations 
developed by the Coast Guard, requires a wide range of security improvements for 
the Nation’s ports, waterways, and coastal areas. DHS is the lead agency for imple- 
menting the act’s provisions, and DHS component agencies, including the Coast 
Guard and the Federal Emergency Management Agency (EEMA), have specific re- 
sponsibilities for implementing the act. 

To carry out its responsibilities for the security of geographic areas around ports, 
the Coast Guard has designated a captain of the port within each of 43 geographi- 
cally-defined port areas. The captain of the port is responsible for overseeing the de- 
velopment of the security plans within each of these port areas. In addition, mari- 
time security committees, made up of key stakeholders, are to identify critical port 
infrastructure and risks to the port areas, develop mitigation strategies for these 
risks, and communicate appropriate security information to port stakeholders. As 
part of their duties, these committees are to assist the Coast Guard in developing 
port area maritime security plans. The Coast Guard is to develop a risk-based secu- 
rity assessment during the development of the port area maritime security plans 


3 Exec. Order No. 13,636, 78 Fed. Reg. 11,739 (Feb. 19, 2013). 
“Pub. L. No. 113-274 (Dec. 18, 2014). 

5 Pub. L. No. 107-295 (Nov. 25, 2002). 
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that considers, among other things, radio and telecommunications systems, includ- 
ing computer systems and networks that may, if damaged, pose a risk to people, 
infrastructure, or operations within the port. 

In addition, under MTSA, owners and operators of individual port facilities are 
required to develop facility security plans to prepare certain maritime facilities, 
such as container terminals and chemical processing plants, for deterring a trans- 
portation security incident. The implementing regulations for these facility security 
plans require written security assessment reports to be included with the plans 
that, among other things, contain an analysis that considers measures to protect 
radio and telecommunications equipment, including computer systems and net- 
works. 

MTSA also codified the Port Security Grant Program, which is to help defray the 
costs of implementing security measures at domestic ports. Port areas use funding 
from this program to improve port-wide risk management, enhance maritime do- 
main awareness, and improve port recovery and resilience efforts through devel- 
oping security plans, purchasing security equipment, and providing security training 
to employees. FEMA is responsible for administering this program with input from 
Coast Guard subject-matter experts. 

THE NATION AND ITS PORTS FACE AN EVOLVING ARRAY OF CYBER-BASED THREATS 

Like threats affecting other critical infrastructures, threats to the maritime IT in- 
frastructure are evolving and growing and can come from a wide array of sources. 
Risks to cyber-based assets can originate from unintentional or intentional threats. 
Unintentional threats can be caused by, among other things, natural disasters, de- 
fective computer or network equipment, software coding errors, and careless or poor- 
ly-trained employees. Intentional threats include both targeted and untargeted at- 
tacks from a variety of sources, including criminal groups, hackers, disgruntled in- 
siders, foreign nations engaged in espionage and information warfare, and terror- 
ists. 

These adversaries vary in terms of their capabilities, willingness to act, and mo- 
tives, which can include seeking monetary gain or pursuing a political, economic, 
or military advantage. For example, adversaries possessing sophisticated levels of 
expertise and significant resources to pursue their objectives — sometimes referred to 
as “advanced persistent threats” — pose increasing risks. They make use of various 
techniques — or exploits — that may adversely affect Federal information, computers, 
software, networks, and operations, such as a denial of service, which prevents or 
impairs the authorized use of networks, systems, or applications. 

Reported incidents highlight the impact that cyber attacks could have on the mar- 
itime environment, and researchers have identified security vulnerabilities in sys- 
tems aboard cargo vessels, such as global positioning systems and systems for view- 
ing digital nautical charts, as well as on servers running on systems at various 
ports. 

In some cases, these vulnerabilities have reportedly allowed hackers to target 
ships and terminal systems. Such attacks can send ships off course or redirect ship- 
ping containers from their intended destinations. For example, according to 
Europol’s European Cybercrime Center, a cyber incident was reported in 2013 (and 
corroborated by the FBI) in which malicious software was installed on a computer 
at a foreign port. The reported goal of the attack was to track the movement of ship- 
ping containers for smuggling purposes. A criminal group used hackers to break into 
the terminal operating system to gain access to security and location information 
that was leveraged to remove the containers from the port. 

DHS AND OTHER STAKEHOLDERS HAVE TAKEN LIMITED ACTIONS TO ADDRESS MARITIME 

PORT CYBERSECURITY 

In June 2014 we reported that DHS and the other stakeholders had taken limited 
steps with respect to maritime cybersecurity.® In particular, risk assessments for 
the maritime mode did not address cyber-related risks; maritime-related security 
plans contained limited consideration of cybersecurity; information-sharing mecha- 
nisms shared cybersecurity information to varying degrees; and the guidance for the 
Port Security Grant Program did not take certain steps to ensure that cyber risks 
were addressed. 

Maritime Risk Assessment Did Not Address Cybersecurity 

In its 2012 National Maritime Strategic Risk assessment, which was the most re- 
cent available at the time of our 2014 review, the Coast Guard did not address 


6 GAO-14-459. 
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cyber-related risks to the maritime mode. As called for by the NIPP, the Coast 
Guard completes this assessment on a biennial basis, and it is to provide a descrip- 
tion of the types of threats the Coast Guard expects to encounter within its areas 
of responsibility, such as ensuring the security of port facilities, over the next 5 to 
8 years. The assessment is to be informed by numerous inputs, such as historical 
incident and performance data, the views of subject-matter experts, and risk models, 
including the Maritime Security Risk Analysis Model, which is a tool that assesses 
risk in terms of threat, vulnerability, and consequences. 

However, we found that while the 2012 assessment contained information regard- 
ing threats, vulnerabilities, and the mitigation of potential risks in the maritime en- 
vironment, none of the information addressed cyber-related risks or provided a thor- 
ough assessment of cyber-related threats, vulnerabilities, and potential con- 
sequences. Coast Guard officials attributed this gap to limited efforts to develop in- 
puts related to cyber threats to inform the risk assessment. For example, the Mari- 
time Security Risk Analysis Model did not contain information related to cyber 
threats. The officials noted that they planned to address this deficiency in the next 
iteration of the assessment, which was to be completed by September 2014, but did 
not provide details on how cyhersecurity would be specifically addressed. 

We therefore recommended that DHS direct the Coast Guard to ensure that the 
next iteration of the maritime risk assessment include cyber-related threats, 
vulnerabilities, and potential consequences. DHS concurred with our recommenda- 
tion, and the September 2014 version of the National Maritime Strategic Risk As- 
sessment identifies cyber attacks as a threat vector for the maritime environment 
and assigns some impact values to these threats. However, the assessment does not 
identify vulnerabilities of cyber-related assets. Without fully addressing threats, 
vulnerabilities, and consequences of cyber incidents in its assessment, the Coast 
Guard and its sector partners will continue to be hindered in their ability to appro- 
priately plan and allocate resources for protecting maritime-related critical infra- 
structure. 

Maritime Security Plans’ Consideration of Cybersecurity Was Limited 

As we reported in June 2014, maritime security plans required by MTSA did not 
fully address cyber-related threats, vulnerabilities, and other considerations. Specifi- 
cally, three area maritime security plans we reviewed from three high-risk port 
areas contained very limited, if any, information about cyber-threats and mitigation 
activities. For example, the three plans included information about the types of in- 
formation and communications technology systems that would be used to commu- 
nicate security information to prevent, manage, and respond to a transportation se- 
curity incident; the types of information considered to be sensitive security informa- 
tion; and how to securely handle such information. They did not, however, identify 
or address any other potential cyber-related threats directed at or vulnerabilities in 
these systems or include cybersecurity measures that port-area stakeholders should 
take to prevent, manage, and respond to cyber-related threats and vulnerabilities. 

Similarly, nine facility security plans from the non-Federal organizations we met 
with during our 2014 review generally had very limited cybersecurity information. 
For example, two of the plans had generic references to potential cyber threats, but 
did not have any specific information on assets that were potentially vulnerable or 
associated mitigation strategies. Officials representing the Coast Guard and non- 
Federal entities acknowledged that their facility security plans at the time generally 
did not contain cybersecurity information. 

Coast Guard officials and other stakeholders stated that the area and facility-level 
security plans did not adequately address cybersecurity because the guidance for de- 
veloping the plans did not require a cyher component. Officials further stated that 
guidance for the next iterations of the plans, which were to be developed in 2014, 
addressed cybersecurity. However, in the absence of a maritime risk environment 
that addressed cyber risk, we questioned whether the revised plans would appro- 
priately address the cyber-related threats and vulnerabilities affecting the maritime 
environment. 

Accordingly, we recommended that DHS direct the Coast Guard to use the results 
of the next maritime risk assessment to inform guidance for incorporating cyberse- 
curity considerations for port area and facility security plans. While DHS concurred 
with this recommendation, as noted above, the revised maritime risk assessment 
does not address vulnerabilities of systems supporting maritime port operations, 
and thus is limited as a tool for informing maritime cybersecurity planning. Fur- 
ther, it is unclear to what extent the updated port area and facility plans include 
cyber risks because the Coast Guard has not yet provided us with updated plans. 
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Information-Sharing Mechanisms Varied in Sharing Cybersecurity Information 

Consistent with the private-public partnership model outlined in the NIPP, the 
Coast Guard helped establish various collaborative bodies for sharing security-re- 
lated information in the maritime environment. For example, the Maritime Modal 
Government Coordinating Council was established to enable interagency coordina- 
tion on maritime security issues, and members included representatives from DHS, 
as well as the Departments of Commerce, Defense, Justice, and Transportation. 
Meetings of this council discussed implications for the maritime mode of the Presi- 
dent’s Executive order on improving critical infrastructure cybersecurity, among 
other topics. 

In addition, the Maritime Modal Sector Coordinating Council, consisting of own- 
ers, operators, and associations from within the sector, was established in 2007 to 
enable coordination and information sharing. However, this council disbanded in 
March 2011 and was no longer active, when we conducted our 2014 review. Coast 
Guard officials stated that maritime stakeholders had viewed the sector coordi- 
nating council as duplicative of other bodies, such as area maritime security com- 
mittees, and thus there was little interest in reconstituting the council. 

In our June 2014 report, we noted that in the absence of a sector coordinating 
council, the maritime mode lacked a body to facilitate National-level information 
sharing and coordination of security-related information. By contrast, maritime se- 
curity committees are focused on specific geographic areas. 

We therefore recommended that DHS direct the Coast Guard to work with mari- 
time stakeholders to determine if the sector-coordinating council should be reestab- 
lished. DHS concurred with this recommendation, but has yet to take action on this. 
The absence of a National-level sector coordinating council increases that risk that 
critical infrastructure owners and operators will be unable to effectively share infor- 
mation concerning cyber threats and strategies to mitigate risks arising from them. 

Port Security Grant Program Did Not Take Key Steps to Effectively Address Cyber 
Risks 

In 2013 and 2014 FEMA identified enhancing cybersecurity capabilities as a fund- 
ing priority for its Port Security Grant Program and provided guidance to grant ap- 
plicants regarding the types of cybersecurity-related proposals eligible for funding. 
However, in our June 2014 report we noted that the agency’s National review panel 
had not consulted with cybersecurity-related subject-matter experts to inform its re- 
view of cyber-related grant proposals. This was partly because FEMA had 
downsized the expert panel that reviewed grants. In addition, because the Coast 
Guard’s maritime risk assessment did not include cyber-related threats, grant appli- 
cants and reviewers were not able to use the results of such an assessment to in- 
form grant proposals, project review, and risk-based funding decisions. 

Accordingly, we recommended that DHS direct FEMA to: (1) Develop procedures 
for grant proposal reviewers, at both the National and field level, to consult with 
cybersecurity subject-matter experts from the Coast Guard when making funding 
decisions, and (2) use information on cyber-related threats, vulnerabilities, and con- 
sequences identified in the revised maritime risk assessment to inform funding 
guidance for grant applicants and reviewers. 

Regarding the first recommendation, FEMA officials told us that since our 2014 
review, they have consulted with the Coast Guard’s Cyber Command on high-dollar 
value cyber projects and that Cyber Command officials sat on the review panel for 
1 day to review several other cyber projects. FEMA officials also provided examples 
of recent field review guidance sent to the captains of the port, including instruc- 
tions to contact Coast Guard officials if they have any questions about the review 
process. However, FEMA did not provide written procedures at either the National 
level or the port area level for ensuring that grant reviews are informed by the ap- 
propriate level of cybersecurity expertise. FEMA officials stated the fiscal year 2016 
Port Security Grant Program guidance will include specific instructions for both the 
field review and National review as part of the cyber project review. 

With respect to the second recommendation, since the Coast Guard’s 2014 mari- 
time risk assessment does not include information about cyber vulnerabilities, as 
discussed above, the risk assessment would be of limited value to FEMA in inform- 
ing its guidance for grant applicants and reviewers. As a result, we continue to be 
concerned that port security grants may not be allocated to projects that will best 
contribute to the cybersecurity of the maritime environment. 

In summary, protecting the Nation’s ports from cyber-based threats is of increas- 
ing importance, not only because of the prevalence of such threats, but because of 
the ports’ role as conduits of over a trillion dollars in cargo each year. Ports provide 
a tempting target for criminals seeking monetary gain, and successful attacks could 
potentially wreak havoc on the National economy. The increasing dependence of 
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port activities on computerized information and communications systems makes 
them vulnerable to many of the same threats facing other cyber-reliant critical in- 
frastructures, and Federal agencies play a key role by working with port facility 
owners and operators to secure the maritime environment. While DHS, through the 
Coast Guard and FEMA, has taken steps to address cyber threats in this environ- 
ment, they have been limited and more remains to be done to ensure that Federal 
and non-Federal stakeholders are working together effectively to mitigate cyber- 
based threats to the ports. Until DHS fully implements our recommendations, the 
Nation’s maritime ports will remain susceptible to cyber risks. 

Chairman Miller, Ranking Member Vela, and Members of the subcommittee, this 
concludes my prepared statement. I would be pleased to answer any questions you 
may have at this time. 

Mrs. Miller. Thank you very much. 

The Chair now recognizes Mr. Parsons. Again, sir, we appreciate 
you traveling from California to join us today. 

STATEMENT OF RANDY D. PARSONS, DIRECTOR, SECURITY 
SERVICES, PORT OF LONG BEACH, CALIFORNIA 

Mr. Parsons. Thank you. Madam Chair. 

I appreciate the opportunity to provide some information this 
morning from an operations perspective. As you mentioned, the 
Port of Long Beach is the second-busiest seaport in the United 
States. Combined with our neighbor adjacent, the Port of Los Ange- 
les, we handled over 15 million cargo containers in 2014. That rep- 
resents over 40 percent of the imported cargo to the United States. 
Partly in effort to protect the diverse and large environment that 
we have, we operate the Joint Command and Control Center, 
which is a 24/7 operation. It provides domain awareness to all of 
our partners. Government and private sector, and is the hub for 
critical incident management. The coordination center houses over 
$100 million in technical security assets. 

But we know the port authorities aren’t the only target and pos- 
sibly not the primary target for cybersecurity threats. Private-sec- 
tor business entities, such as the terminal operators, control a sub- 
stantial portion of the economic movement through our ports. The 
potential perpetrators and the threats, as you mentioned and as 
the admiral alluded to, aren’t very unique to the maritime environ- 
ment. We have threats to the port that are a danger to humans as 
well as catastrophic economic damage. We have workers. We have 
visitors. Both ports are housed in a densely-populated metropolitan 
area. Taking into account the dangerous nature of the persons — 
and the Port of Long Beach supports 30,000 jobs in the immediate 
area and 1.4 million jobs Nation-wide — an impact to a complex the 
size of Long Beach and Los Angeles could impact our National 
well-being. There are a number of challenges that we face in the 
maritime environment for cybersecurity. 

There is not a one-size-fits-all solution for all ports. The business 
models for ports vary based on the size of the ports, the nature of 
the business that goes through the ports and, frankly, how they are 
governed. Long Beach is a landlord port. We have very little input 
into the security posture of our tenants. Other ports are operators 
of ports and are better postured to make recommendations and re- 
quirements. 

A challenge is a lack of awareness about our own systems. Some- 
times systems are a patchwork of legacy systems. They are often 
operated or administered by folks with different purposes and a 
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myopic focus on their required specific functions. This creates a 
lack of enterprise perspective or awareness for the cybersecurity 
problem. There is a notable reluctance to share information about 
cybersecurity issues. To acknowledge a cybersecurity event could 
potentially mean a loss of business reputation and public trust. 
Much of the information for maritime stakeholders is deemed as 
proprietary to the degree that dissemination could create business 
disadvantage. 

There is a need to clearly identify roles and responsibilities of the 
various Government agencies involved in cybersecurity. The Ports 
of Long Beach and Los Angeles have been contacted and have 
worked with the United States Coast Guard, the FBI, Secret Serv- 
ice, and multiple entities of the Department of Homeland Security. 
We have tried to use incentives at our port to generate buy-in. We 
have done that successfully with our Green Port Program and our 
Clean Trucks Policy. 

Now, FEMA has incentivized, to a degree, cybersecurity matters 
by emphasizing cybersecurity mitigation and vulnerability assess- 
ments in the recent grant year. We agree that subject-matter ex- 
perts need to have continued input into those grant awards. The 
spending has increased as a result of that, but it is imperative that 
FEMA maintain a focus on strategic thought and the current and 
developing regulations. We support the efforts of the Coast Guard 
in their expanded mission to enhance security. But we realize that 
has created a specialized mission requirement that requires addi- 
tional funding. We believe that protecting U.S. ports must be a core 
capability of our Nation. We realize, as everyone does, we cannot 
stop all attacks. But focusing on the development of strategic poli- 
cies and guidelines is sorely needed. A roadmap that provides guid- 
ance but flexibility for industry decisions makes sense and will 
strengthen our National security cybersecurity posture. Thank you 
for the opportunity. 

[The prepared statement of Mr. Parsons follows:] 

Prepared Statement of Randy D. Parsons 
October 8, 2015 

Chairman and Members of the committee. My name is Randy Parsons and I am 
the director of security services for the Port of Long Beach, in California. Thank you 
for the opportunity to speak before the House Homeland Security Committee to dis- 
cuss cybersecurity in the maritime environment from a field operations perspective, 
especially during October, National Cybersecurity Awareness Month. 

BACKGROUND 

As the second-busiest seaport in the United States, the Port of Long Beach is a 
major gateway for U.S.-Asia trade and a recognized leader in security. The Port is 
an innovative provider of state-of-the-art seaport facilities and services that enhance 
economic vitality, support jobs, and improve the quality of life and the environment. 
A major economic force, the Port supports more than 30,000 jobs in Long Beach, 
316,000 jobs throughout Southern California and 1.4 million jobs throughout the 
United States. In 2014, the Port of Long Beach moved over 6.8 million 20-foot equiv- 
alent units (TEUs) of cargo, also known as containers. In August of this year, we 
experienced the highest volume of cargo in the Port’s 104-year history. 

Combined with our neighbor, the Port of Los Angeles, both ports comprise the San 
Pedro Bay Complex, the largest port complex in the Nation and the ninth-largest 
port complex in the world. Both ports moved over 15 million TEUs in 2014, which 
accounts for over 40 percent of the Nation’s imported cargo. A 2010 report commis- 
sioned by the two ports and the Alameda Corridor Transportation Authority found 
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that cargo moving through the San Pedro Bay Port Complex made its way to every 
Congressional district in the continental United States. As a result of the sheer vol- 
ume of cargo moved throughout the port complex and transportation-related activi- 
ties, protecting the San Pedro Bay Ports is vital to our National economic and secu- 
rity interests. 


SECURITY 

Safety and security are top priorities at the Port of Long Beach. Since September 
11, 2001, the Port along with the other Government agencies responsible for secu- 
rity, have greatly expanded their efforts to protect the Port complex and sur- 
rounding communities. The Port takes a leadership role in the development of strat- 
egies to mitigate security risks in the San Pedro Bay, working closely with multiple 
partners, both public and private, to plan and coordinate security measures. My pro- 
fessional experience has been in recognizing threat situations and tr 3 dng to formu- 
late the best mitigation strategies. I have made observations, learned lessons from 
our own port operations and through contact with other local port partners, other 
ports, and transportation agencies. 

The Port’s Joint Command and Control Center, a 24-hour-a-day maritime domain 
awareness (monitoring) center, is a critical hub for coordinated security efforts that 
include partnerships with local. State, and Federal law enforcement agencies as well 
as maritime and private-sector stakeholders. The Port of Long Beach has formalized 
agreements with these partners to share security information, coordinate threat in- 
formation, develop plans, and coordinate operations. 

The Control Center houses over $100 million in technical security assets. Through 
innovative efforts, the Port has a monitoring network of over 400 cameras, a com- 
prehensive fiber-optic network, a port-wide wireless system, an integrated security 
management system for synchronized monitoring and quick threat detection, access 
control and alarm monitoring, boat patrols, radar systems, a vessel tracking system, 
and sonar equipment. Law enforcement operations within the Port have been fully 
integrated between the Port of Long Beach Harbor Patrol and the Long Beach Police 
Department. 


CYBERSECURITY 

In 21st Century America, the Port of Long Beach, like many if not all organiza- 
tions, relies heavily on information technology. The l^ort relies on information tech- 
nology to operate the business of the port, as well as to secure the port complex and 
its assets. The maritime sector, like other industries are at risk for cyber attack, 
in part because ports are National economic drivers, and therefore are National crit- 
ical infrastructures. That is why, in addition to the above water, on water, and un- 
derwater security monitoring and threat detection, cybersecurity has become a crit- 
ical endeavor for the Port. 

Port business operations and port authorities are not the only targets. Private- 
sector business entities, such as terminal operators, control a substantial portion of 
the economic movement through a wide variety of facilities. In the San Pedro Bay 
Ports complex, major cyber threat areas include port facilities, shippers, vessels, ter- 
minal operating systems, equipment, storage facilities, rail, and truck operations. 
Potential perpetrators who could carry out cyber attacks include State-sponsored, 
criminal groups, and individuals, either inadvertent or intentional. Threats to the 
maritime environment include hacking, jamming, phishing, spoofing, malicious pro- 
grams, taking control, and denial of service. On average, the Port of Long Beach’s 
Information Management staff reports’ thwarting 1 million hacking attempts a day. 
Some of the motivating factors for cyber criminal activities may involve smuggling, 
cyber extortion, gaining business advantage, intellectual property theft, and dis- 
rupting or destrojdng a National critical infrastructure. In addition to man-made 
cyber threats, the maritime sector is also susceptible to natural hazards such as 
earthquakes, hurricanes, and tsunamis. 

Cyber threats do not necessarily target people to cause injuries and/or death, as 
with more traditional forms of terrorism. However, threats to ports are dangerous 
to the large number of workers, travelers, and visitors in and around the port com- 
munity. Coupled with the potential catastrophic economic impacts, maritime cyber 
events could impact our National well-being as much, if not more, than other types 
of attacks. Large-scale, multi-pronged attacks in the cyber world will require a cer- 
tain level of technical knowledge. However the logistics involved in cyber attacks 
may not rise to the level that was required for the September 11 attacks. Cyber at- 
tacks on such a large scale would create fear, instability, disrupt the normal way 
of life and business, and generate a lack of confidence in our Government’s ability 
to protect us. These are some of the same goals of more “traditional” terrorist acts. 
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As a result, the maritime sector must adapt to a new threat environment as we 
have done constantly since the September 11 attacks. 

It may seem overdramatic to make a comparison to the September 11 attacks, but 
one similarity may be in the number of cyber attacks that have taken place inter- 
nationally and within the United States, as well as our responses, or lack of, to 
those warnings. As a result, business resiliency has become a critical part of our 
on-going cybersecurity plan. Reducing the potential for single-point failure, building 
redundancy into systems, and developing back-up processes are vital to ensuring 
ports remain viable and resume operations as swiftly as possible in the event of an 
incident. Response and recovery are critical to successful mitigation and business 
resumption. Protocols must be clear on how to best contain an incident to prevent 
further interruption. Response teams must have specialized training and be pre- 
pared to engage 24/7. Protocols should include who receives notice of the event and 
what additional assets are available to assist. In a port environment, resiliency in- 
volves the ability of the logistics chain (public or private) to absorb the impact of 
business interruption caused by stress to the system (natural or man-made) and 
continue to provide an acceptable level of goods movement. In order to develop a 
comprehensive resiliency plan to address cybersecurity, factors that should be ad- 
dressed include infrastructure needs and protection, transportation systems, and de- 
velopment of business continuity plans. 

CHALLENGES 

There are a number of challenges that must be addressed to enhance cybersecu- 
rity in maritime environments. There is not a one-size-fits-all solution because ports 
are diverse in how their business is modeled. A lack of awareness about an organi- 
zation’s own systems creates opportunities for exploitation at a basic level. Systems 
themselves can be a patchwork of legacy systems, some integrated with newer tech- 
nologies. Cyber systems can be administered by operators with different purposes 
and a myopic focus on only their required function (i.e. engineers, information tech- 
nology, trade, human resources, and security). This creates a lack of an enterprise 
view of operations, which can lead to the “siloing” effect. The “siloing” effect is not 
an information technology problem, it is a “culture think” issue that takes effort to 
divest and generate a unified and collaborative perspective. At the Port of Long 
Beach, there is a continuing effort to align the enterprise Information Management 
function with the special needs of the Security Division. 

In the maritime industry, there is a notable reluctance to share information about 
cybersecurity issues. To acknowledge that a cyber event has taken place could po- 
tentially diminish business reputation and public trust. Maritime stakeholders have 
deemed much of their information as proprietary to the degree that dissemination 
could create business disadvantages. Although this is a valid concern, it must be 
measured against the National security impact to a port complex like the San Pedro 
Bay. Not sharing cybersecurity information makes it difficult to identify the nature 
of threats or establish lessons learned and best practices to mitigate them. 

There is not a clear or defined role and scope of responsibilities for the various 
Government agencies on the cybersecurity team. It is generally understood that, in 
substantial criminal cyber activity and terrorism matters, the Federal Bureau of In- 
vestigation (FBI) is the lead agency. However, the Ports of Long Beach and Los An- 
geles along with some of the tenants have been contacted by, and have also worked 
with the U.S. Coast Guard, the Secret Service, and multiple entities of Department 
of Homeland Security on cyber matters. Port authorities are willing partners in the 
fight against cyber attacks, however, there are requests for access to data from more 
than one agency. It is challenging to understand what type of cyber information is 
reported to which agency and duplicate requests for reporting often occur. This can 
be especially disconcerting for the private-sector entities whose proprietary concerns 
are heightened when multiple releases create more opportunity for compromise. 

INCENTIVES 

There seems to be clear recognition that serious cybersecurity concerns exist in 
the business world. However, left to our own devices, the business world seems not 
to be motivated to take the substantial action necessary to address those concerns 
in a strategic and collaborative manner. Thought should be given to the Federal 
Government creating incentives for businesses to enhance their cybersecurity efforts 
in a collaborative way. It is recommended that incentives be explored based on com- 
pliance standards. Uniformed guidelines, recommendations, and requirements are 
needed throughout the maritime sector. In order to gain “buy-in” from key stake- 
holders, the Port of Long Beach has found that industry incentives have been crit- 
ical to the success of programs like our Green Port Policy and Clean Air Action 
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Plan. In general, businesses are reluctant to spend money on efforts that are not 
revenue-generating, even if there is a risk assessment indicating mitigation efforts 
could be revenue-saving. 

The Federal Emergency Management Agency (FEMA) has incentivized cybersecu- 
rity activities by placing emphasis within the Port Security Grant Program (PSGP) 
on grant applications that focus on cybersecurity mitigation. It is important that cy- 
bersecurity subject-matter experts continue to be involved in the review process for 
these grant awards. It would be ideal to have that expertise engaged with FEMA 
practitioners who ensure decisions on cyber projects, as with all projects, continues 
to be driven by risk-based factors. 

As a result of this grant prioritization, spending on cybersecurity has increased. 
FEMA should ensure that spending is in line with strategic thought and prevailing 
guidelines as they are developed. An example of focusing on priority projects has 
been the PSGP emphasis on cyber vulnerability assessments. The Port of Long 
Beach, Security Division is currently undergoing a comprehensive cybersecurity vul- 
nerability assessment to enhance our posture. As we look to the future and con- 
template industry regulations for cybersecurity measures, consideration must be 
given for continuing grant support to assist maritime security partners addressing 
the regulations, particularly if the regulations should be mandatory. 

Collaboration between Government and the insurance industry could create incen- 
tives to protect valuable data identified by risk assessment modeling. When certain 
guidelines or industry standards are met, this could be reflected in premium costs. 
If incentives, and potential human and economic losses, are not motivation enough, 
a system of enforceable regulations or requirements may be necessary. Determining 
who would be covered by the rules and regulations is a fundamental question that 
will need to be answered. Specifically, the industry is interested in knowing whether 
the rules will apply only to facilities and vessels as with other regulations, or ex- 
pand to other port enterprises. 

The Port of Long Beach, concurs with the American Association of Port Authori- 
ties recommendation that there be flexibility in how policies are implemented to re- 
flect the varying and evolving threat environment of similarly-situated ports. For 
example, U.S. ports can be either operators of a port or landlords with minimal 
input into operations. There are varying models of governance for ports that directly 
affect how port authorities interact with port partners like terminal operators, rail- 
roads, trucking companies, and shipping lines. 

NATIONAL CYBERSECURITY POLICY 

The Port of Long Beach supports efforts for the U.S. Coast Guard to realize their 
new mission to lead the effort in enhancing cybersecurity in the maritime environ- 
ment. The U.S. Coast Guard and the Captains of the Port are in the best position 
to facilitate and coordinate the drafting of regulations, cybersecurity awareness pro- 
grams, vulnerability assessments, training, clarification of roles and responsibilities, 
exercises, and information sharing. In this role, the U.S. Coast Guard can provide 
a strategic view for cybersecurity in a maritime environment, identify lessons 
learned and best practices, and coordinate efforts among port industry stakeholders. 

The U.S. Coast Guard focus on cybersecurity in the maritime sector has created 
a need for specialized mission requirements. Those requirements must be supported 
through adequate funding for the U.S. Coast Guard to develop and acquire subject- 
matter experts and equipment to deliver meaningful guidance to ports around the 
country. Valuable guidance has been provided by the National Institute of Stand- 
ards and Technology’s (NIST) Framework for Improving Critical Infrastructure Cy- 
bersecurity. Coordination between NIST and the Coast Guard will continue to lead 
the way in formulating the strategies required for a more comprehensive National 
cybersecurity posture. There should not be one-size-fits-all approach to managing cy- 
bersecurity risk because each port or logistics partner will experience different 
threats and vulnerabilities, as well as have different capabilities to address them. 

SOLUTIONS 

Solutions to these cybersecurity challenges exist. All entities must take inventory 
and identify their own systems and capabilities. This includes identifying employee 
and contractor access and duties to port facilities and information systems. In as- 
sessing impacts, it has been identified that people cause the most damage. Once 
cyber operations are understood on an enterprise scale, systems and protocols can 
be organized to promote cybersecurity throughout the organization. Legacy systems 
can be evaluated for updating to meet today’s, and more importantly, tomorrow’s cy- 
bersecurity needs. 
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The next step in achieving awareness is to have a comprehensive vulnerability as- 
sessment conducted by subject-matter experts. It is critical to identify and prioritize 
gaps that could lead to interruptions effecting key operations. The Port of Long 
Beach, Security Division is undergoing a comprehensive assessment; it will be the 
third such assessment in 3 years. 

Cybersecurity training and educational programs must be robust and continual. 
Training should include prevention, detection, response, and recovery efforts and 
procedures. Presentations are more meaningful if they contain real-world incidents 
and reporting. Case studies and examples are particularly valuable when they focus 
on lessons learned and best practices. System operators need to know what a poten- 
tial cyber incident looks like and how it behaves. This type of training provides 
awareness for port industry leaders and employees to create a “See Something/Say 
Something,” environment in the cyber arena. The benefits received from a collabo- 
rative environment promote information sharing. 

Another layer to cyber preparedness is conducting tests, drills, and exercises, as 
with other critical or emergency situations. In 2014, the Port of Los Angeles hosted 
a large, multi-agency, full-field cybersecurity exercise. Lessons were learned from in- 
tegrating cyber threats with real-world operations. Drills and exercises for cyberse- 
curity teams should be commonplace and testing of all employees should happen 
throughout the year, not just during Cybersecurity Month in October. 

When cyber events occur, decisions must be driven by information. Collaboration 
that produces an environment of sharing information will include balancing the 
need to protect propriety information with protecting our National critical infra- 
structures. The city of Los Angeles created a Cybersecurity Fusion Center to facili- 
tate the exchange of cyber information, and the Ports of Long Beach and Los Ange- 
les both have access. The Port of Long Beach takes pride in being led by our Infor- 
mation Management Division in being recognized as National Cyber Security Alli- 
ance — Cyber Security Champion since 2010. The Port also participates in the San 
Pedro Bay Cyber Working Group and the Critical Infrastructure Partnership Advi- 
sory Council. The U.S. Coast Guard, Sector Los Angeles/Long Beach, Area Maritime 
Security Committee has approved a Cyber Security Subcommittee and we look for- 
ward to its launch and being an active participant. 

Information sharing can be facilitated by clarif 3 dng roles and responsibilities for 
all cybersecurity players including local, State, Federal governments and private 
sector. This clarification must be shared with the entire maritime community. When 
an event is detected, proper notifications must be made, mitigation efforts are initi- 
ated, and an investigation may begin. Agency responsibilities may differ for each of 
these tasks and that must be understood by all. Likewise, lines of communication 
should be clear about who will analyze the information and identify potential per- 
petrators, techniques, and patterns or trends. If these efforts generate information 
of value, it must also be determined which agency disseminates the information and 
how it is disseminated. 

The reporting of cybersecurity-related information has not been a two-way flow 
of information sharing, it has mainly been the maritime sector providing informa- 
tion to Federal Government agencies. There should be a concerted effort to evaluate 
and identify information that can be released to the proper audience to keep them 
“in-the-loop.” This feedback is critical for identifying lessons learned, best practices, 
and foster the critical sharing relationship. One bright spot has been the collabora- 
tion between the ports of Long Beach and Los Angeles and the FBI’s Cyberhood 
Watch Program. This is a program where cyber information is shared by port part- 
ners, including private-sector partners, with the FBI. The FBI analyzes the data for 
suspicious behaviors and the results are shared back with the contributors and all 
partners in the program. The FBI will also take further investigative steps when 
warranted. 


CONCLUSION 

It is important to recognize that while we vigorously try, we cannot stop all at- 
tacks. Protecting U.S. ports must be a core capability of our Nation. There seems 
to be either high-level discussion about cybersecurity or fra^ented tactical level 
technical detail. Focusing on the development of strategic policies and guidelines is 
sorely needed. A road map that provides guidance and flexibility for industry deci- 
sions makes sense and will stren^hen our National cybersecurity posture. 

Thank you for the opportunity to address you on behalf of the Port of Long Beach. 
I would be pleased to take any questions. 

Mrs. Miller. Thank you very much. 
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The Chair now recognizes Mr. Sawicki. Again, we appreciate you 
traveling from Texas to join us, sir. 

STATEMENT OF JONATHAN SAWICKI, SECURITY IMPROVE- 
MENT PROGRAM MANAGER, PORTS OF BROWNSVILLE AND 

HARLINGEN, TEXAS 

Mr. Sawicki. Thank you very much. 

Madam Chairman, distinguished Members of the committee, and 
Members of the audience, my name is John Sawicki. I was asked 
to testify today based upon experience gained while serving as a se- 
curity improvement program manager for the Ports of Brownsville 
and Harlingen, Texas. I am humbled and honored to be here today 
to share with you this experience, as well as my own opinions on 
the status of cybersecurity in our port communities. Today, I would 
like to focus on the importance of risk-based, strategic planning 
and how cyber risk is a critical component within that approach. 
I would like to share with the committee information on recent ef- 
forts to manage cyber risk in the maritime domain and will provide 
brief comments on the Coast Guard’s cybersecurity strategy, as 
well as provide some general recommendations for consideration. 

My hope today is that once we all leave here, the Members of the 
subcommittee, the audience, and my fellow witnesses are better 
equipped to make informed risk-based decisions when imple- 
menting cybersecurity and resiliency strategies. The bombing of the 
U.S.S. Cole and September 11 attacks on our county made it clear 
that we had to increase our level of homeland security Nation-wide. 
Just as how we travel by air has changed, the way we conduct 
maritime commerce has also changed. 

We need to understand, we all know that there are capable and 
motivated threats out there for cyber and for physical security. We 
must implement risk-based strategies. To mitigate against some of 
these physical security threats, in 2002, the Port of Brownsville es- 
tablished a sworn police department responsible for not only en- 
forcing laws and providing public safety but for implementing pro- 
grams and measures to protect port infrastructure and maintain 
compliance with the MTSA. In 2007, the port conducted a com- 
prehensive threat assessment, which was closely followed by a 
port- wide strategic risk-management plan in 2008. 

While not required of the Port of Brownsville, this plan has been 
a critical component to our success with the Port Security Grant 
Program, securing over $14 million in funds for physical security 
enhancement projects. Currently, the port is in the process of up- 
dating this initial port-wide strategic risk management plan with 
an additional focus on industrial hazards and cybersecurity. A stra- 
tegic risk-based approach to managing the threats and hazards at 
the Port of Brownsville has resulted in a safer and more secure en- 
vironment within which commerce can be conducted. 

Cybersecurity, Port of Brownsville. Using the NIST Cybersecu- 
rity Framework as a guide, the Port of Brownsville recently con- 
ducted a cybersecurity assessment to identify critical systems, 
evaluate current cybersecurity posture, establish a target state for 
cybersecurity, and identify and prioritize opportunities for improve- 
ments. The timing of this assessment was optimal, as the port had 
recently hired its first IT manager and was in the process of per- 
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forming significant upgrades to existing communication systems, 
port management systems, and general operating systems. 

The result of this cybersecurity assessment indicated opportuni- 
ties for improvement in all five cybersecurity functions: Identify, 
protect, detect, respond, and recover. Using the results of this as- 
sessment, the port prepared and submitted a grant application 
through the fiscal year 2015 Port Security Grant Program. Unfor- 
tunately, the project was not funded. Even though it was not fund- 
ed, the port strives to improve our cybersecurity posture and, even 
though at a slower pace, is doing so. 

Comments on the U.S. Coast Guard strategy. In general, I sup- 
port the U.S. Coast Guard’s vision for operating in the cyber do- 
main and the three primary priorities of defending cyber space, en- 
abling operations, and protecting infrastructure critical to the MTS. 
The risk-based decision-making model utilized in the overall strat- 
egy development and proposed implementation will be very bene- 
ficial. I believe that the stated goals and objectives are reasonably 
achievable, given support and resources on an on-going and con- 
sistent manner. I think that on-going and consistency is very im- 
portant. The most important goal stated in the strategy in terms 
of port-wide risk management in my mind is to increase oper- 
ational resiliency by ensuring mission-focused cyber space oper- 
ations and incorporating cybersecurity into U.S. Coast Guard cul- 
ture. This focus on resiliency and the concept of establishing a cul- 
ture of cybersecurity is key to managing risks posed by a persistent 
and capable threat. This operational resiliency will effectively re- 
duce the consequences associated with a potential cyber-based 
transportation security incident and work to gain buy-in from port 
area partners and other maritime domain stakeholders. Ultimately, 
to adequately address the cyber risk, we must all work to establish 
and nourish a culture of enhanced cybersecurity and vigilance 
within our own organizations. You have many of my recommenda- 
tions in my written testimony, so I am not going to go through all 
those today. But, most importantly, I feel we need to continue to 
support at the port level and the National-level risk-based decision 
making and the assessments required to do so. 

So I will leave you today with thanking you for this opportunity. 
General Douglas MacArthur is credited with saying: There is no se- 
curity on this Earth, only opportunity. I feel right now we have 
that opportunity to help build cybersecurity throughout the MTS. 
Thank you very much. 

[The prepared statement of Mr. Sawicki follows:] 

Prepared Statement of Jonathan Sawicki 
October 8, 2015 
introduction 

Madam Chairman, distinguished Members of the committee and members of the 
audience, my name is Jon Sawicki and I was asked to testify today based upon ex- 
perience gained while serving as the security improvement program manager for the 
Ports of Brownsville and Harlingen, both located in Cameron County, Texas. I am 
humbled and honored to be here today to share with you this experience, as well 
as my own opinions on the status of cybersecurity in our port communities. 

Today I would like to focus on the importance of risk-based strategic planning and 
how cyber risk is a critical component of that approach. I would like to share with 
the committee information on recent efforts to manage cyber risk in the maritime 
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domain and will provide brief comments on the USCG’s Cyber Strategy, as well as 
provide some general recommendations for consideration by the USCG and com- 
mittee Members as you work to enhance the National cyhersecurity posture. My 
hope today is that, the Members of the subcommittee, the audience and my fellow 
witnesses are better equipped to make informed risk-based decisions when devel- 
oping and implementing cybersecurity and resiliency strategies. 

STRATEGIC PLANNING AT THE PORT OF BROWNSVILLE 

The bombing of the USS Cole on October 12, 2000, and the subsequent terrorist 
attacks against the United States on September 11, 2001 made it clear that home- 
land security as a whole needed to be enhanced throughout our country. Just as how 
we travel by air has changed significantly, the means by which we conduct maritime 
commerce in ports and waterways world-wide has been impacted by the reality that 
motivated and capable threats do exist, and they pose a risk to the lives and liveli- 
hoods of people everywhere. 

To mitigate against physical security threats, in 2002 the Port of Brownsville es- 
tablished a sworn police department responsible for not only enforcing laws and pro- 
viding public safety, but for implementing programs and measures to protect port 
infrastructure and maintain compliance with the Maritime Transportation Security 
Act (MTSA). In 2007 the Port conducted a comprehensive threat assessment, closely 
followed in 2008 by the development of a port-wide strategic risk management/miti- 
gation and trade resiliency/resumption plan, which has since been used as a guide 
for the design and development of PSGP project applications. 

While not required of the Port of Brownsville, the completion of this first port- 
wide strategic risk management plan has been critical to our success in securing ap- 
proximately $14,000,000 in funds to implement projects of a wide variety; from the 
development of sophisticated wide-area surveillance and TWIG -compliant access 
control systems; the construction of a new port command center and commercial 
truck entrance; and the purchase of multiple portable generators, light towers, and 
security shelters for use during incident response and disaster recovery operations. 

The Port is currently in the process of updating the initial Port-wide strategic risk 
management/mitigation and trade resiliency/resumption plan. This update has an 
added focus on industrial hazards at non-USCG-regulated facilities, the ability to 
coordinate emergency response activities with all port tenants and evaluating the 
Port’s cyhersecurity and network preparedness posture. A strategic risk-based ap- 
proach to managing the threats and hazards at the Port of Brownsville has resulted 
in a safer and more secure environment within which commerce can be conducted. 

CYBERSECURITY AT THE PORT OF BROWNSVILLE 

Using the National Institute of Standards and Technology (NIST) Cyhersecurity 
Framework as a guide, the Port of Brownsville recently conducted a basic cybersecu- 
rity assessment to identify critical systems, evaluate their current cybersecurity pos- 
ture; establish a target state for cyhersecurity; and identify and prioritize opportuni- 
ties for improvement within the context of a continuous and repeatable process. The 
timing of this assessment was optimal as the Port had recently hired its first in- 
house IT manager and was in the process of performing a significant upgrade to the 
existing communications platform, computer operating systems (hardware and soft- 
ware) and port management information system. 

The results of the cyhersecurity assessment indicated opportunities for improve- 
ment in all five cyhersecurity functions; identify, protect, detect, respond, and re- 
cover. Using the results of the cyhersecurity assessment the Port prepared and sub- 
mitted a grant project application through the fiscal year 2015 PSGP, which unfor- 
tunately was not selected for funding. Though this project did not receive funding, 
the Port strives to improve cyhersecurity and network resiliency through targeted 
upgrades and enhancing the capabilities of IT-tasked personnel. 

USCG CYBERSECURITY STRATEGY 

In general I support the USCG’s vision for operating in the cyber domain, and 
the three primary priorities of defending cyber space, enabling operations and pro- 
tecting Infrastructure critical to the maritime transportation system. The risk-based 
decision-making model utilized in the overall strategy development and proposed 
implementation will be beneficial, and I believe that the stated goals and objectives 
are reasonably achievable given support and resources are on-going and consistent. 

The most important goal stated in the strategy in terms of port-wide risk manage- 
ment is to “increase operational resiliency” by ensuring mission-focused cyber space 
operations, and incorporating cybersecurity into U.S. Coast Guard culture. This 
focus on resiliency and the concept of establishing a culture of cyhersecurity is key 
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to managing risk posed by a persistent and capable threat, or natural hazard such 
as a major hurricane. Given the likelihood of a future cyber incident impacting the 
maritime transportation system, the true measure of a successful cyber risk man- 
agement program will be the ability to operate in a degraded manner while the 
threat is addressed and systems are restored. This operational resiliency will effec- 
tively reduce the consequence associated with a potential cyber-based transportation 
security incident, and work to gain buy-in from port-area partners and other mari- 
time domain stakeholders. Ultimately, to adequately address the cyher risk we must 
all work to establish and nourish a culture of enhanced cybersecurity vigilance with- 
in our own organizations. 

RECOMMENDATIONS AND CLOSING STATEMENT 

Recommendations : 

• Continue to provide resources through the PSGP to promote the enhancement 
of cybersecurity and network preparedness within the maritime domain. Con- 
siderations should be made to reduce the cost match requirement for cybersecu- 
rity assessments and strategic planning projects that follow the NIST Cyberse- 
curity Framework. 

• Continue to provide resources through the PSGP to conduct or update port-wide 
strategic risk management/mitigation and trade resiliency/resumption plans. 
Consider reducing the cost match requirement for grantee projects that directly 
address cyber vulnerabilities identified in the strategic risk management plans 
and/or area maritime security assessment (AMSA). 

• Continue to provide resources through the PSGP to support cybersecurity train- 
ing and exercises. Consider reducing the cost match requirements for projects 
that provide consistent and accredited cybersecurity training of varying levels 
to members of the port community, specifically those offered to both public and 
private entities. 

• Provide for flexibility in future policies or regulations, taking into account 
unique port-specific risk profiles and operating environments when determining 
appropriate mitigation levels. 

• Further define and provide guidance on what constitutes a transportation secu- 
rity incident specific to potential or actual cyber breaches. 

• Encourage cybersecurity breach reporting by port facilities by putting in place 
measures to safeguard information to a degree that limits the reputational im- 
pact on the entity breached. 

• Continue to lead and facilitate cybersecurity discussions at AMSC meetings and 
other industry groups such as ASIS and the FBI’s Infraguard Program. 

Thank you again for the opportunity to testify before this subcommittee. General 
Douglas MacArthur is credited with saying, “There is no security on this earth; only 
opportunity”. These words are as relevant today as they were almost a century ago. 
Cybersecurity must be approached as an on-going cycle, not a means to an end. 
Threat actors will always look for opportunities to exploit system vulnerabilities. As 
such, we must always be identifying and capitalizing on opportunities to increase 
our own preparedness, protection, and response capabilities. 

Mrs. Miller. Thank you, all of you, gentlemen. I think what I 
will do is just ask a more global question and ask each one of you 
to respond to it. I will preface it by telling you the reason I called 
this hearing, obviously, I mean, if you talk to anybody at the Pen- 
tagon and you ask them, “What keeps you awake at night,” they 
will tell you cyber attack. That is what they are worried about, as 
much as anything else, of all the threats that we face. When you 
talk to Members on the Intel Committee, you know, they will tell 
you about some of the things that are happening. I mean, we see 
some of the things openly reported of these hackers, like the 0PM 
kind of thing that happened here in the Government domain re- 
cently, where you had the hackers sitting there probably in the in- 
formation environment for could have been a year, you know. As 
Members of Congress, we were talking about whether or not we 
ought to get credit-security agencies available to all these folks that 
had been hacked in. But, look, they weren’t looking for somebody’s 
credit card information probably. 
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The other hat that I wear besides sitting on the Homeland Secu- 
rity Committee, I am also the Chair of the House Administration 
Committee, where we are concerned about cyber for the campus 
here. I won’t go into some of the issues that we have had there. 
But, obviously, we are a target, right? So you can imagine. 

But, at any rate, as I sort-of think about this whole area of cy- 
bersecurity in the port, in the maritime environment, and I think 
about the Coast Guard being missioned with this, and. Admiral 
Thomas, I would also say, you know, I also have a saying, I always 
say if it is wet and impossible, send in the Coast Guard because 
you guys just handle it. Then, you know, since 9/11, all we have 
done is load you up, load you up, load you up with so many other 
kinds of missions. Now you are tasked with this as well, with cy- 
bersecurity. But, you know, the world is a changing, evolving 
threat environment all the time. It is much more asymmetrical 
than it has ever been in the past, as evidenced by the kinds of 
things, the worries that fellows at the ports are having. 

I guess, just generically, my question is: How do you think the 
Coast Guard is doing with this mission? To the rest of you — and 
nothing against the Coast Guard — but do you think the Coast 
Guard is the proper agency, and do they have adequate resources, 
again, to carry out another mission that the Government has 
missioned them, tasked them with? Our committee, we need to 
hear from all of you of what kinds of situations you are having out 
there. Then it is up to us to finance to the best extent that we can, 
prioritize the Government’s money here of doing the kinds of things 
we need to be able to do to make sure that the missions we give 
the brave men and women in the Coast Guard and every other 
agency is adequate for that. I guess that is, sort of generally, I am 
trying to understand whether or not the Coast Guard is, the kinds 
of challenges that you find yourself with and what the rest of you 
think about how that is going and what, perhaps, we could do dif- 
ferently if necessary. Admiral? 

Admiral Thomas. Thank you for that great question. In my 
statement, I mentioned that we don’t view this as a new mission. 
We view it as a natural extension of our existing mission. Maybe 
I can elaborate on that. When the maritime industry shifted from 
sail to steam, the Coast Guard had to develop standards and the 
ability to assure compliance with those standards for boilers and 
for engineers for the first time, and then when we shifted from 
steam to internal combustion and from internal combustion to 
major electrical power. So the industry has moved to operating in 
cyber. The Coast Guard has got to move with them. So it is the 
natural extension of our mission given to us by Congress to man- 
age operational risks in the maritime area. 

Now, that said, it is a different type of risk that we have to man- 
age. So we need to develop different expertise, and we need to 
bring some different capabilities. We are doing that by leveraging 
the expertise and capabilities that exist across the Government and 
by building our own work force. One of the reasons why our com- 
mandant insisted that we have a cyber strategy is so that our en- 
tire organization stays focused on those things that we know we 
need to do in order to be operationally effective across all of our 
missions in the 21st Century operating environment. That includes 
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building the workforce. It includes developing the proper kind of 
standards. So, again, I don’t see this as a new mission. We see it 
as a new domain in which we need to conduct all of our missions. 

Certainly when I talk to the industry about how do we manage 
the risks introduced by cyber systems, and we talk about how we 
manage other risks that, you know, have always been out there, 
the same types of approaches, the same risk-based performance 
standards, the same type of regulatory regime is what people tell 
me they think works. So thank you for the question. 

Mrs. Miller. Mr. Wilshusen. 

Mr. Wilshusen. Yes, I would just like to add, too, that it is good 
to hear Admiral Thomas talk about leveraging other resources 
across the Federal Government because there are several that can 
help as the Coast Guard tries to bring up their cybersecurity capa- 
bilities. Even within its own Department, the Department of Home- 
land Security, the Office of Cybersecurity and Communications has 
a number of groups that are skilled in cybersecurity-related mat- 
ters, and that certainly can help inform the Coast Guard’s effort. 
In addition, the National Institute of Standards and Technology 
has developed a framework, a cybersecurity framework for improv- 
ing cybersecurity within the critical infrastructure. That, too, is an- 
other framework that can help inform the Coast Guard’s efforts 
and, indeed, all of the maritime sectors’ efforts to improve the cy- 
bersecurity. So there are other resources available that can help 
the Coast Guard in performing those activities. 

Mrs. Miller. Mr. Parsons, what is your thought? 

Mr. Parsons. Madam Chair, I don’t think there is any question 
the Coast Guard is the right agency. The Coast Guard and their 
Captains of the Port are perfectly positioned to lead strategy and 
guidelines for port security measures. As the admiral says, that is 
what they have done all along. They are the right people. 

Clearly, something this large and complex, there is going to be 
a maturational process to this. I feel like we are at the beginning 
of it. But the things that I feel we need in the maritime environ- 
ment are leadership, coordination, a strategy, create a fabric for all 
the working entities in the port, not just port authorities but for 
the business entities in the port. Quite frankly, we struggle as a 
landlord port to have much say in the position of security in our 
tenants. 

You mentioned the fully-automated terminal. Once fully opera- 
tive, that will handle 3 million cargo containers a year. That num- 
ber, which is expected to be fulfilled through contracts, would make 
that one terminal the fourth-largest port in the United States. We 
have very little input into their — we can inquire, we can discuss it, 
we can confer and collaborate. But we have no guidelines or stand- 
ards that could help them motivate. I am sure they have a very ro- 
bust cybersecurity program for a fully-automated terminal. But we 
don’t have any insight into that and no real insight in how to get 
there. The last thing I would say is many of the challenges I men- 
tioned, again, the Coast Guard I think is postured for systems 
awareness, threat awareness, training programs. They are kind-of 
a mishmash if they exist. 

Our concern is that the level of resources that they have to do 
this job and how long it would take to do it. If there were a Na- 
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tional vulnerability assessment, a charge for all ports, that is going 
to be a beefy undertaking. It is going to take a long time. But, 
again, with their experience of understanding the difference be- 
tween the different nature of the ports, I think the Captains of the 
Port are, again, the best postured to take something like that on. 

Mrs. Miller. Mr. Sawicki. 

Mr. Sawicki. Thank you very much. In my opinion, for the cur- 
rent operations, yes, the Coast Guard has resources to continue to 
facilitate the conversation. I think that is the most important part 
right now is that within ports, we have many experts at many pri- 
vate terminals. But it is very difficult to get them all into one room 
to share their own strategies because they all compete. So I think 
at this point, the Coast Guard is doing an incredible role through 
Area Maritime Security Committees, to port safety committees to 
facilitate that conversation and to better understand what private 
industry is doing, some of their concerns. The primary concern that 
I see with information sharing specifically with port tenants is the 
possibility for reputational impact of a private company if they 
share a cyber breach. 

So I think, currently, by facilitating these conversations, by 
working with private industry and working within existing regula- 
tions, I believe the Coast Guard is the right organization for this 
role. I believe it will take us a while to get there, but this is a very 
big problem. We are still in the proactive stage. Fortunately, we 
are not in the reactive stage. Thank you very much. 

Mrs. Miller. Thank you all very much. 

Before I recognize the Ranking Member, I would also like to rec- 
ognize, and as you see, the gentleman from Texas, Mr. Ratcliffe, 
who is the Chairman of the committee’s Subcommittee on Cyberse- 
curity, Infrastructure Protection, and Security Technology, be al- 
lowed to sit on the dais and participate in today’s hearing. 

Without objection, so ordered. 

Mr. Vela. 

Mr. Vela. Thank you. Madam Chairman. 

Mr. Parsons, you hit on two points that I would like to basically 
hear about in a broader context of not just cybersecurity but port 
security in general. The first is with respect to communication be- 
tween ports, for example, in California, Port of San Diego, Long 
Beach, Los Angeles, San Francisco, and many others — in Texas, it 
would be Port of Brownsville, Port of Corpus Christi, Galveston, 
Houston — what kind of information-sharing systems do we have in 
place between all these different ports? 

Mr. Parsons. In our area, we have, the first thing and the best 
thing is we know each other. We spend a lot of time together in 
other emergency management and crisis situations. We attend the 
same conferences. We are part of the same cybersecurity working 
groups that cover both ports. We share information. 

I will tell you a bright spot in information sharing is the FBI’s 
Cyberhood Watch Program. That is one place where port entities 
and, importantly, private-entity terminals have agreed to input 
their defense information as they defend against cyber attacks into 
the FBI Cyberhood Watch. The FBI analyzes that information. One 
thing we really appreciate is, it is a two-way flow of information. 
They provide the information back to the stakeholders if they see 
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a pattern or a trend that needs tending. That goes to all stake- 
holders. So some of that proprietary influence has heen broken 
down with Cyberhood Watch. 

Mr. Vela. Mr. Sawicki. 

Mr. Sawicki. I agree. It would also reinforce that through the 
FBI’s InfraGard Program as well. That is where a lot of industry 
information sharing takes place. Port- wise, you are looking at con- 
ferences, AAPA events, seminars where the same groups get to- 
gether, discuss issues they are sharing. I am not aware of any for- 
mal communication platform between ports to share. Now, if there 
is an issue, someone receives a breach, then information sharing 
takes place through the National Response Center. I have not seen 
that process take place. I am not sure how reactive it can be. But, 
currently. Area Maritime Security Committees, existing meetings, 
the conversations are happening. Everyone is talking about it. But 
as far as a formal platform, I am not aware of one. 

Mr. Vela. So would the common thread from coast to coast be 
the FBI Cyber Watch Program? Is that what you called it? 

Mr. Sawicki. There are multiple programs under, I believe under 
the InfraGard Program which is, I am a member, I sign up, very 
quick background checks. Then I receive emails on specific threats 
that are out there. Most of these are Non-classified but Sensitive 
I guess would be the way to put it. So there is information in in- 
dustry. When industry partners talked to non-maritime, like 
NERC, for example, some of the other regulatory boards, there is 
a lot of information out there. But it is more informal than formally 
received. 

Mr. Vela. Mr. Parsons, the other point I wanted to hit on is you 
mentioned the challenge in getting the tenants to share informa- 
tion. Is that something that we see across the Nation? 

Mr. Parsons. Yes. One of those things I don’t think is unique to 
the maritime environment. It is a valid concern. One thing I think 
the Cyberhood Watch Program has done is called the private-sector 
tenants together, made the point: We understand your position; we 
have seen it happen in the United States. But, on balance, with the 
port complex such as Long Beach and Los Angeles, we do have to 
balance proprietary interests with potential damage to National se- 
curity. That argument and possibly others have drawn these pri- 
vate-sector people into Cyberhood Watch. That is a huge step. 
There has been a lack of trust, parochial interest in their informa- 
tion. That has been a tough pull. But this is a glimmer of success 
that we have seen. 

Mr. Vela. Mr. Wilshusen, what are your thoughts on the 2015 
Coast Guard cyber strategy? 

Mr. Wilshusen. I think it is a step forward to recognize and 
identify the three objectives that they have laid out in their strat- 
egy, particularly with protecting the critical infrastructure in the 
maritime environment, which was the focus of our report and the 
actions we have done there. So, to that extent, I think it has been 
a positive step and something that, of course, I understand will be 
guiding their efforts going forward. 

But one thing I would just like to also point out regarding the 
information-sharing issue that has been discussed is that there 
have been a number of barriers to effective information security. 
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Mr. Parsons and Mr. Sawicki touched on a couple of those. One is 
having, establishing those relationships and how important it is to 
establish trust in order for private-sector companies to share their 
information with the Government or among themselves. The other 
thing is part of what could happen to facilitate that sharing of in- 
formation is to have a secure mechanism in which organizations 
can provide that information to Government and, conversely. Fed- 
eral agencies can provide actionable threat alert and incident infor- 
mation back to the private sector. There should also be capabilities 
to anonymize the information so the issue with regard to 
reputational impairment, if you will, on the part of a private sector 
who reports an incident and it is cited, leads could be anonymized 
so the individual entity is not being identified, but the information 
about the threat, about the incident, and it will be something that 
can be shared across the sector. So there are a couple actions that 
can be taken to help improve information sharing across the board. 

Mr. Vela. Thank you. 

Mrs. Miller. The Chair recognizes the gentleman from New 
York, Mr. Donovan. 

Mr. Donovan. Thank you. Madam Chair. 

I would like to thank you and the Ranking Member for allowing 
me and Ratcliffe to intrude on your hearing. 

First of all, gentlemen, thank you for what you do for our coun- 
try, your interest in protecting our National security. I have two 
reasons why I asked the Chairwoman and Ranking Member if I 
could join you today. One is we have a great love for the Coasties. 
I come from New York. When Governors Island closed, the Coasties 
came to Staten Island, where I live. We are very proud. We are 
very grateful for their work. We are so honored that they decided 
to come to Staten Island. 

The other is my dad was a longshoreman for 40 years. Before 
containerization, longshoremen would go down into the hull of the 
ship with a hook and grab a burlap sack of coffee beans and walk 
it out of the hull of the ship. My father used to come home with 
the coffee beans, the loose ones, in his cuffs of his pants. We used 
to grind them up, and we had coffee. But, you know, the security 
back then, I suspect they had dogs that would sniff the cargo, 
maybe some detectors for radiological materials on some of the 
ships. But your mission has become so great. 

When you spoke. Admiral, about — you guys remind me of Larry 
the Cable Guy; you are just going to get ’er done no matter what 
it is. But your resources are finite. To take on this other mission 
or expanding the mission that you already have in the security of 
our ports is going to cost you resources. Are other parts of the 
Coast Guard’s missions going to suffer because now you have to di- 
rect resources to this new threat that we face now in cybersecurity? 

Admiral Thomas. Thanks for your support of the Coast Guard. 
We love Staten Island as well. I would say of the three objectives 
in our Coast Guard cyber strategy, the least resource-intensive is 
the one around our role for protecting maritime critical infrastruc- 
ture. That is because of some points that have already been made. 
That infrastructure is privately-owned. The real responsibility to do 
the defense of those systems is with the private sector. So we don’t 
envision Coast Guard personnel, for example, actively defending 
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private-sector systems. Our role in that regard is to set a reason- 
able performance standard and then have the people in place to en- 
sure that standard is met. That might involve the use of third par- 
ties. In fact, I am quite certain that it would. We use third parties 
across our compliance program. So do we need additional resources 
to do that? Yes. Is the demand as large as you might think? Prob- 
ably not, at least not for that component of our strategy because, 
again, we will leverage the capabilities across the Government, 
both in terms of setting the standards. One of the reasons that we 
don’t have the assessments in place that the GAO would like to see 
is because we want to make sure we use the same assessment tools 
that are used in other sectors. They are just not there yet. So it 
wouldn’t make any sense to move out ahead of them. 

But we will leverage all those resources. Yes, there will be a re- 
source bill. Will it impact our other missions? Our Coast Guard 
Commandant has been pretty clear that cyber is a way to make 
sure we do our missions better and more effectively. It is not a mis- 
sion to detract from others. 

Mr. Donovan. Thank you very much. 

Madam Chairman, I waive the rest of my time. Thank you. 

Mrs. Miller. I thank the gentleman. 

The gentlelady from California, Ms. Sanchez. 

Ms. Sanchez. Thank you. Madam Chair. Once again, always a 
pleasure to serve with you on this subcommittee. As you know, I 
probably live about 25 minutes away from the Port of Long Beach 
and maybe half an hour away from the Port of Los Angeles. Almost 
50 percent of our goods, I think, come through those two ports to 
the United States. The Port of Long Beach alone handles about 
$150 billion in trade annually. Of course, we are talking about a 
lot of Southern California jobs between these two ports. 

So I would like to ask Mr. Parsons, what would be the impact 
of a significant cyber attack on your port? What do you envision 
would be, on the high end, something that would just cripple what 
is going on? How long do you think, given the current infrastruc- 
ture, it would take to get things back to normal? 

Mr. Parsons. Congresswoman, we are always very concerned 
about major attacks. But I will tell you, we have experienced plenty 
of small ones that have given us some insight into what happens 
in port environments. Those have been generated some by labor ac- 
tion and slow downs, some by malfunctioning of systems, not only 
within ports but on a larger scale, with the city of Long Beach. 

Ms. Sanchez. With the automation, and I know the automa- 
tion — I understand the whole issue of much of this infrastructure 
is owned by these individual maritime companies, et cetera. But 
give me an example of something that you think would be just in- 
credibly crippling and what we could imagine would be the after- 
effect. I am thinking from an economy standpoint in particular for 
California. 

Mr. Parsons. Well, we could go back to 2002 and the work stop- 
page there, where the National economy was dramatically affected. 
Depending on whose figures you believe 

Ms. Sanchez. Was that like 8 days or 18 days? 

Mr. Parsons. Exactly. In 2002 dollars, it was a loss of $1 billion 
a day to the National economy. So we can assume it has gone up 
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from there. What we have seen is systems shut down. As Mr. 
Sawicki talked about, resiliency and redundancy is a huge part of 
cybersecurity; how quickly can we spin back up? What we have 
seen is a lack of redundancy and acceptable back-up systems, in 
some cases, as simple as power back-up. Some of the terminals, 
during the problems we had with the electrical grid out there, they 
were down. The irony was the security systems were up and run- 
ning, were back up, but the economy isn’t moving. So that is a 
great concern to us. Again, it goes back to the awareness of the sys- 
tems; exactly how long would it take these individual terminals to 
come back on? 

Ms. Sanchez. I remember it was, even after we solved the issue, 
it was a long time in getting the back-up and getting everything 
back to normal and getting the ships out. Of course, much of that 
was perishable to some extent, et cetera. So it was a big economic 
crunch. 

I am very confident in my Coast Guard, I have visited a lot both 
up in the San Francisco Bay area and, of course, in our ports, and 
in San Diego, with respect to your ability to cover and to have con- 
sistent knowledge of each port within the Coast Guard. So I want 
to congratulate you on that actually because I think you are doing 
a good job with respect to that. 

But I think this whole issue. Madam Chair, going back to this 
issue of, and we have seen this over and over in other areas, 
whether it is petrochemical or anything else, that the mainstay of 
the infrastructure is in individuals’ hands, right, in private hands. 
So what is our role, and how do we ensure that, in fact, even in 
an economic situation there is backup energy generation, for exam- 
ple? So I know that you have all talked about, you know, we need 
more communication or we need more, we need to know more. How 
do we do that? How do we, if we, the Government, wanted to some- 
how take the initiative to actually get this going, what would that 
look like? What could we do, given that everybody, the individual 
stakeholders have proprietary information, you know, they want to 
but they don’t want to come together and figure out how we are 
better protected against cyber. Seeming that Homeland Security is 
supposed to be in charge of everything but defense cyber in our 
agencies and that we are somehow supposed to help private enti- 
ties who are so important to us get this act together with us, what 
would you suggest? If I told you tomorrow, “Fix this problem and 
let’s get this done,” what would that look like? To any of you who 
are on the panel. Give us some ideas of what we can do as a com- 
mittee to help you get that done. 

Mr. Sawicki. It is a very good question, a very difficult question. 
But I think, initially, it is to focus on those systems that facilitate 
commerce, the navigation systems. You know, after a hurricane, as 
an example, you can have every facility ready to operate, but if 
that channel isn’t open, then it really doesn’t matter. 

So I would say focus on the major navigation systems, the Fed- 
eral systems. Ensure private industry’s trust in those systems, and 
then help facilitate conversations among private industry because 
I believe private industry is going to do on their own to protect 
their own interest. So other than that magic bullet, it is just to 
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focus internally first while everyone else tries to get a handle on 
the situation on their own, if that makes sense. 

Mr. Parsons. Congresswoman, as a Government and a com- 
mittee, it has a lot to do with what we talked about today: Sup- 
porting the Coast Guard to create this fabric; identify systems 
through risk-based assessments; identify the priority gaps. But I 
think there has got to be some regulation. It can be voluntary, as 
it has been in the past. To be honest with you, left to our own de- 
vices, we don’t seem to have done very well. 

So the other thing I mentioned is the Port of Long Beach has 
used incentives for our private-entity partners to engage in various 
programs that we have had there. But you may evolve to regula- 
tions and even requirements, authorities that have been given to 
the Coast Guard in some other areas, but we have to generate 
whatever motivation it’s going to take to get this done. 

The reason it is going to be a maturational process is there’s not 
one size that fits all with ports, so there has got to be a recognition 
that it is a different playing field in different ports. 

Ms. Sanchez. Thank you. Madam Chair. 

Yes, and I agree. If you have seen one port, you have seen one 
port. Thank you. 

Mrs. Miller. I thank the gentlelady very much. 

The Chair recognizes the gentleman from Texas, Mr. Ratcliffe. 

Mr. Ratcliffe. Thank you. Chairman Miller and Ranking Mem- 
ber Vela, again, for the opportunity to be part of your sub- 
committee today and for holding this hearing on a critically impor- 
tant topic. 

On the Subcommittee on Cybersecurity, Infrastructure Protec- 
tion, and Security Technologies, where I also serve, we talk a lot 
about cybersecurity threats to our power grids and to our nuclear 
missile silos and other critical infrastructure. But we, frankly, talk 
a lot less about the fact that 90 percent of the world’s consumer 
goods are shipped on boats and vessels that come through our 
ports, and that statistic alone really underscores the gravity of the 
threat that we are talking about here. If the maritime industry suf- 
fered a major cyber attack, it could leave grocery store shelves 
empty. It could leave gas tanks at filling stations across the coun- 
try empty, and, obviously, that would have a devastating, tremen- 
dous impact on our economy. 

To that point, I want to ask about a report that was in the news 
last year — and maybe. Admiral Thomas, you may be the one to 
start with — I read a report that a U.S. port had suffered a 7-hour 
interruption of a GPS signal. Can you confirm that for me? 

Admiral Thomas. Yes. I mean, there’s a container terminal that 
is fully automated that relies on GPS signal in order to locate spe- 
cific containers and move cranes around. That particular disrup- 
tion, if we are thinking about the same one, was ultimately deter- 
mined not to be related to an intentional attack, but it does high- 
light the vulnerabilities associated with particularly relying on one 
system for that type of an operation. 

Mr. Ratcliffe. Terrific. 

So given the challenges that the Department of Homeland Secu- 
rity and the Federal Government — I think it is well-known — are 
having in this arena with respect to the ability to retain a talented 
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and keep a talented cyber workforce, I would like to get your per- 
spective. 

There have been some discussions earlier about leveraging other 
resources, and within the Department, there is the NCCIC, the Na- 
tional Cybersecurity and Communications Integration Center. Is 
that a resource that you have been able to leverage? If not, why 
not, because a lot of what we have been talking about on the 
Homeland Security Committee generally is trying to elevate the 
NCCIC and its role and its use as a resource in this regard? 

Admiral Thomas. Well, I think you will be happy to hear that 
NCCIC is absolutely a resource for us, and as a resource, it impacts 
all three of our strategic priorities in our cyber strategy. 

We have a Coast Guard person there full time. That is one of the 
ways we are building our own expertise, but it also ensures that 
NCCIC is fully linked up with our Coast Guard Cyber Security Op- 
erations Center. We are sharing information on a daily basis. We 
are taking information in from the industry, and we are providing 
information dozens and dozens of times a year to the industry on 
cyber threats, particularly in the maritime sector. 

So NCCIC is every day getting more and more effective and get- 
ting more well-known and, I think, achieving their mission. 

Mr. Ratcliffe. Well, good. I am, actually, very pleased to hear 
that. So in follow-up to that, I would like to ask you, Mr. Parsons — 
because you talked a little bit about the information sharing as- 
pect, and obviously, that is one of the things that the NCCIC tries 
to accomplish — has that been a resource for you, and, if not, why 
not? 

Mr. Parsons. In the Port of Long Beach, we have two cyber func- 
tions. We have two completely separate networks on the security 
side of the house. That is a reliance we have on the Enterprise In- 
formation Management Group. They have for the last 3 years had 
staffing, particularly as cybersecurity experts, and we looked at 
them to share that information on an enterprise level. With our 
stand-alone network, we share with various Federal databases. 
Both networks’ personnel meet and talk with each other. 

Both the Port of Los Angeles and the Port of Long Beach have 
CSOCs, a Cybersecurity Operations Center. The city of Los Ange- 
les, the mayor’s office, stood up a robust Cyber Fusion Center for 
the region, and both ports have connectivity with that. 

I think part of the point you are trying to get to, though, is, to 
me, there is a lot of sharing going on, but I think there may need 
some better leadership and direction to make sure the right infor- 
mation is getting to the right people. 

Mr. Ratcliffe. Okay. Thank you. 

Mr. Wilshusen, a follow-up because you, actually, you know, 
broached this subject and talked about some of the barriers to in- 
formation sharing, but I assume that you’re familiar with the bill 
that we moved through this committee and then successfully 
through the House, the National Cybersecurity Protection Advance- 
ment Act. That is an information sharing bill, and it does provide 
for — or intends to provide for, if passed into law, the opportunity 
to scrub out the type of information that has discouraged sharing 
personal identifying information, proprietary information, and to 
limit it to cyber threat indicators. 
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Any perspectives on that legislation, and was that what you were 
addressing? 

Mr. WiLSHUSEN. Well, I think, you know, to the extent that that 
legislation will improve the sharing of information on cyber threat 
incidents among the various different sectors and in the Federal 
agencies, it is going to be a positive. Indeed, you know, we are also 
going — we have been mandated — the GAO has been mandated to 
look at the NCCIC and how well it is implementing its mission 
roles and responsibilities in helping to facilitate the sharing of in- 
formation. 

Mr. Ratcliffe. I appreciate you all being here today. 

Again, I appreciate the opportunity to be on the subcommittee. 
I yield back. 

Mrs. Miller. I thank the gentleman. 

I thank you both for attending. We appreciate it. 

The gentleman from Texas. 

Mr. Vela. Madam Chairman, I ask unanimous consent for the 
gentleman from Rhode Island, Mr. Langevin, to sit and question 
the witnesses at today’s hearing. 

Mrs. Miller. Without objection, the Chair now recognizes Mr. 
Langevin, the gentleman from Rhode Island 

Mr. Langevin. Thank you. 

Mrs. Miller [continuing]. A former Secretary of State as was 
myself. 

Mr. Langevin. Likewise. You bet. 

I want to thank the witnesses for being here today. 

Mr. Sawicki and Mr. Parsons, if I could just start with you. 

Mr. Sawicki, one thing that caught my eye in your written testi- 
mony was your recommendation that DHS “further define and pro- 
vide guidance on what constitutes a transportation security inci- 
dent specific to potential or actual cyber breaches.” 

Can you and Mr. Parsons expand on this a bit further? What, if 
any, guidance have you received? 

Mr. Sawicki. Sure. Thank you very much for the question. 

My recommendation is — the focus of it is to help understand that 
just because a facility is in a port and on the water, every security 
incident doesn’t always elevate beyond the fence line to where it 
impacts the American transportation system. So I think it is impor- 
tant that we all come up with a — whatever that line is to where 
it is purely an internal crime versus something that needs to be re- 
ported through NRC and responded to by the Federal Government. 

I am not aware of any specific guidance on what constitutes a 
transportation security incident based on cyber. I think in the ma- 
jority of facility security plans or port security facility plans, there 
is always a question on what is a breach, what is a potential 
breach, and what is a near miss. So I think helping define that will 
help port facilities and ports report incidents that do occur. 

Mr. Langevin. So, can I ask you this? How do you report cyber- 
security incidents to the Federal Government, and to whom have 
you reported? 

Mr. Sawicki. I think that is the question right now. We have not 
reported any cybersecurity incidents because we have not had any, 
that I am aware of, that are significant enough to report. 
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I think one thing to understand, specifically for the Port of 
Brownsville and many other mid-tier ports, that our focus right 
now is not so much protecting our networks through additional 
measures; it is upgrading semi-aging systems, so upgrading soft- 
ware, hardware that comes with the basic protections versus add- 
ing additional protections. 

So, right now, if we were to have a breach to the port’s cyber, 
to their internal email network, I think it would take some con- 
versation to see who needs to be reported. 

Mr. Langevin. So let me take a different tack. 

What incidents do you report, and what are the criteria you use 
to determine whether to report? 

Mr. Sawicki. Right now, our incidents that we report are 
breaches of security based on our facility’s security plan — so some- 
body who may jump a fence, be seen jumping the fence, you know, 
who kind of breaks our perimeter — you know, the basic intrusion. 
If there is a threat that is reported, we will report that. But, right 
now, it is most of the reporting is done in accordance with our secu- 
rity plan and is based on an actual breach of our physical security. 

Mr. Langevin. So, right now, no criteria for reporting any type 
of a cyber event or intrusion? 

Mr. Sawicki. Correct. 

Mr. Langevin. Okay. 

Mr. Parsons, if I could, in your testimony, you mentioned that 
ports can be reluctant to reveal they have been breached. Are there 
requirements as to what you must report? 

Mr. Parsons. No, sir, in the same vein about reporting. There 
is some confusion about what is reported to who. Our Information 
Management Division tells us we defend against approximately a 
million potential penetrations a day. That information is fed to the 
FBI’s Cyberhood Watch Center. So they receive that information, 
and they analyze it with other reporting. 

Should a major incident occur in the port complex, what we 
would do isn’t any different than any other potential emergency sit- 
uation. We would call the Coast Guard. We would call the FBI. We 
would call our partners. We would say, “Here’s what we’ve got, 
where do you think this fits,” because we have overlapping jurisdic- 
tion within maritime environments. So we work it out through per- 
sonal communications and collaboration, but there isn’t guidance to 
direct us. 

Mr. Langevin. Thank you, Mr. Parsons. 

Admiral, if I could turn to you. Admiral Thomas. 

How does the Coast Guard evaluate risk assessments and secu- 
rity plans with respect to cybersecurity, and have you found com- 
mon challenges across different ports, and are there any model 
ports that you could point to in terms of protecting cybersecurity? 

Admiral Thomas. Well, thank you for the question. 

If I could just take up the issue of reporting first. 

I mean, we do receive reports of cybersecurity breaches in ports. 
We did receive one just last night, in fact. So there are reporting 
requirements. The cyber incidents that are related to the physical 
security requirements are reportable under the MTSA. 
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So, for example, if there is a loss of access control to a facility 
or a loss of cargo control or a loss of perimeter control that is asso- 
ciated with a cyher breach, that is a reportable incident. 

The confusion comes because cyber touches all aspects of a port 
operation. So if it is a financial system, for example, that has been 
breached, well, that would not be reportable to the Coast Guard be- 
cause it is not addressed under our authority. So I think the indus- 
try reps here are absolutely right that it is very confusing to figure 
out which type of incident gets reported to whom. 

Now, for your question with regard to how do we address cyber 
risks in the ports, I mentioned earlier — I think before you entered 
the room — that we are working very closely across the interagency 
to develop those risk assessment tools so that what we employ in 
the maritime is consistent with what is employed in the power sec- 
tor and in the financial sector, et cetera. There are a number of 
those tools under development — again, led by DHS — and we have 
piloted those in some of the major ports around the Nation. 

There are definitely ports that have been more active — proactive, 
and it would be the ones that you would think about, those that 
have the larger amounts of really high-risk cargoes. Then there are 
others who are probably, rightly, just kind of waiting to see what 
develops in terms of standards. 

Mr. Langevin. Thank you. I see my time has expired, but I will 
have some follow-up questions. Perhaps, if you could respond for 
the record, I would appreciate it. Thank you. 

Mrs. Miller. I thank the gentleman very much. 

The Chair now recognizes Ms. Jackson Lee from Texas. 

Ms. Jackson Lee. Madam Chair, could I yield to Mr. Donovan, 
and I will go last? I am still looking at my notes. Thank you. 

Mrs. Miller. Mr. Donovan has already had his 5 minutes. You 
are the last one. 

Ms. Jackson Lee. Then I cannot yield to Mr. Donovan, as they 
say. 

Mr. Donovan. Thank you. 

Ms. Jackson Lee. Let me thank Mr. Vela and Mrs. Miller for 
this, and I am always glad to see the Brownsville Port here and 
acknowledge that Congressman Vela has done an excellent job in 
this capacity and has provided great leadership on these issues for 
the State of Texas. 

Obviously, I am going to make note of the fact that we have the 
Houston Port, and we have a number of concerns about it. 

So let me, first of all, ask Mr. Sawicki, are you aware of the FBI 
watch, and do you engage — use any Federal resources such as the 
FBI if you think something has occurred with respect to cybersecu- 
rity? 

Mr. Sawicki. Thank you very much. 

I am aware of the FBI’s InfraGard Program because I am a 
member of it, so I receive emails about current threats that, you 
know, can be sent out to people of my, I guess, stature, would be 
the best way to put it. So we coordinate the same way we coordi- 
nate cyber just like we coordinate safety and security in our ports. 
The Area Maritime Security Committees and Subcommittees are 
our primary method for information sharing and communication. 
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I have also worked in and throughout the Port of Houston and 
the Houston Ship Channel, and there it is the very same way. We 
have very robust Area Maritime Security Committees and very ro- 
bust Harbor Safety Committees, and that is where a lot of that in- 
formation sharing is happening. 

Do we formally engage in Brownsville with the FBI currently? 
No, because there hasn’t been the need to. We do — the topic does 
come up during AMSC meetings, but we have not — fortunately, we 
have not had a breach that would require us to coordinate with the 
FBI. 

Ms. Jackson Lee. What do you think the trepidation is for mari- 
time companies not to share cyber attacks that have occurred? 

Mr. Sawicki. Competition. Competition and the potential for im- 
pact to their brand. We have seen some major breaches at some 
major companies, and we have seen CEOs lose their jobs. We have 
seen stock prices impacted. I think cyber is a little different be- 
cause the likelihood of a cyber attack is as close to 100 percent as 
you can get. So I think private industry is protecting themselves 
because of that likelihood, and they are building crisis management 
programs around cyber just like they do around environmental 
issues and things like that. So private industry is working on it. 

Ms. Jackson Lee. We understand that a decade or so ago, this 
committee established that over 85 percent of the infrastructure 
which would be subject to many attacks was in the private sector, 
and we have started to send out messages for them to prepare. 

But what can the Federal Government do that you think would 
be effective in sort of easing the concern of competition and looking 
more closely at the vast massive impact that would come from a 
cyber attack and particularly at the port? 

Mr. Sawicki. I think, initially and what is happening right now, 
it is facilitating the conversation, but ultimately, it is ensuring that 
any data that is shared is protected. So protecting your own net- 
works first while private industry works to protect their networks 
and then to help — to continue funding training programs. You 
know, like I said, many ports right now are not the very large — 
not the Port of Houston, not the Port of Long Beach — to where the 
need is training. You know, we can have all the systems in the 
world, but if I click the wrong email, it can get right around all of 
it. 

So I think facilitating training, continuing to support the Port 
Security Grant Program, and then really looking at some of the 
cost-mass requirements for cyber projects that could potentially 
mitigate risk at a National level. 

Ms. Jackson Lee. Thank you. 

Admiral Thomas, I can’t see you, but I know, by your excellent 
answers, that you are here. 

Let me have a series of questions with you, albeit briefly then. 
I thank the Chairman. 

As I do that, let me acknowledge the Brownsville Port, but then, 
of course, I have in my jurisdiction the Houston Port, which is a 
25-mile-long complex of diversified public and private facilities and 
is a few hours away from Gulf of Mexico, which makes it vulner- 
able on a number of occasions — on number of points: It is man- 
made. It has major exports. In 2012, Ship Channel-related busi- 
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nesses contributed 1 million-plus jobs and 178 plus 5 billion in 
State-wide economic activity. 

You heard the gentleman from the Port of Brownsville about 
competition and what could be done. You see the difference in size 
of the many ports across America. 

In terms of the Coast Guard’s cybersecurity effort, how does the 
present structure of sequester impact that, and what answer would 
you give to the private sector who would be willing to give more 
information if they could be assured of the lack of a breach? What 
are the firewalls that we are putting in place or have in place? 

Admiral Thomas. Well, thank you for the question. 

With regard to the impact of sequester on our cyber operations, 
particularly our efforts to secure the critical infrastructure, I would 
say it is minimal now because we are still in the assessing and 
communicating phase, in the process of figuring out, what are the 
proper performance standards to put into place? As we move into 
a phase where we actually have to ensure compliance with those 
standards, then I think the resource demands become heavier on 
us. 

Ms. Jackson Lee. What is your projection for moving up to the 
next step? 

Admiral Thomas. Well, one of the interesting things about this 
cyber question is that it is not really uniquely maritime in that 
what we do in the maritime really needs to be closely aligned with 
and look a lot like what goes on in other sectors, so I think the 
Government needs to move through this. 

In other words, I don’t think we want to be implementing hard 
standards in the maritime ahead of many of the other sectors, par- 
ticularly those sectors that this — the maritime ports connect with 
because you wouldn’t want to put in place separate requirements 
for entities that — you know, my rail is going to have to meet this, 
and my port facilities are going to have to meet that, and my truck- 
ing facilities something else. 

So I don’t know. I think that the time line, though, has to be 
carefully coordinated and considered. 

Ms. Jackson Lee. Is that the Government’s challenge to coordi- 
nate the private sector and cybersecurity, because maybe. Admiral, 
you might have a best practices idea under the Coast Guard that 
might be utilized by the railroads and otherwise? I am trying to see 
who starts, and what would be most helpful to get us into this 
process as I conclude. 

Admiral Thomas. So DHS really has taken a leadership role in 
coordinating across all the sectors, and the Coast Guard partici- 
pates in that as does the TSA and all the other sector-specific agen- 
cies. So I think the focus on sharing those best practices across sec- 
tors — and certain sectors are leading, financial, for example, and 
energy — is definitely in place, and the private sector is very in- 
volved in that effort. 

Ms. Jackson Lee. Thank you. Madam Chair. 

Mrs. Miller. I thank the gentlelady. I appreciate it. 

Ms. Jackson Lee. If I 

Mrs. Miller. I am going to move on here. We have a hard dead- 
line. 
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Ms. Jackson Lee. I understand. When the gentleman finishes, 
I just want to put a “thank you” on the record. 

Mrs. Miller. Certainly. 

Ms. Jackson Lee. So I would appreciate it. 

Mrs. Miller. The Chair recognizes the gentleman from Texas 
now, Mr. Hurd. 

Mr. Hurd. Thank you. Madam Chairman. 

Thank you all for being here today. 

This question is directed at any one of you all that want to field 
it, and I want to pick up on some of the questions that my col- 
league from Houston has talked about. 

You know, ports, like many other industries in the world, are 
moving towards automation, integration, you know, and upgrades 
to industrial control systems. You know, probably the two publicly- 
known cases of physical damage occurring as a result of a cyber at- 
tack is Stuxnet, probably being the most well-known, and it oc- 
curred as a result of cyber attacks against industrial control sys- 
tems. 

You all have talked about information sharing, but what are 
some of the unique challenges you all are dealing with in pro- 
tecting industrial control systems, and, you know, what are you all 
doing specifically in that area? 

The admiral, maybe, or Mr. Parsons. 

Admiral Thomas. Well, I mean, I can talk to you about what I 
know is going on in some of the higher-tech portions of the mari- 
time industry. 

So, for example, those vessels that are out in the Gulf of Mexico, 
drilling in very, very deep water, relying on dynamic positioning 
systems and systems that are making decisions faster than people 
can humanly make them, which enables them to drill, you know, 
miles down — that they really have begun to focus — rightly, I be- 
lieve — on what I call a layered cyber protection strategy, which 
starts with individual components, the manufacturers of those com- 
ponents, how those are made, how they have been integrated into 
a system, and how that system is then integrated on the vessel but 
then, beyond that, really focusing on the human elements because 
this is more than just an IT problem. 

Also, how are those systems operated and maintained, and how 
are the operators and maintainers trained, because very basic 
training, like don’t plug your iPhone into this system, can go a long 
way to help to prevent? 

So what I have seen, particularly in those portions of industry 
that rely more heavily on high-tech, is a risk-management ap- 
proach for cyber that is akin to what they have always done for 
physical threats, and I think that is a positive step. 

Mr. WiLSHUSEN. I would just add, too, that one of the key ele- 
ments to the increasing use of industrial control systems that have 
communications capability is just making sure that entities and 
corporations are aware of that capability and the threats associated 
with that. 

What we had found in a couple of our reviews is that the agen- 
cy — and this is going back a few years — was not even familiar or 
did not know that its industrial control systems were actually con- 
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nected to the administrative networks of the organization, and that 
created another avenue of access, if you will. 

So understanding the threats to the technologies that are being 
used and how that technology is being used is going to be key to 
that, particularly as it relates to industrial control systems. 

Mr. Hurd. I yield my final 2 minutes to my colleague from 
Texas. Thank you. 

Ms. Jackson Lee. Thank you, Mr. Hurd. 

I wanted to just say to the admiral but pose a question as well, 
first of all, thank you for the stunning and — obviously, I know you 
will say they were doing their duty work regarding the cargo ship 
off the coast of Florida during a very horrific time. I don’t know if 
the Chairman and Ranking Member know of the interests that I 
have because I think security involves many aspects of our work, 
and that — we have no evidence of anything untoward. But certainly 
it was a tragic episode and a loss of life of many Americans. 

So, Admiral, I am thankful to you, and the question that I have 
that you could either do in writing — or I think I have a few min- 
utes for you to answer — is: Any directions — or does the company 
and/or the captain seek information from the Coast Guard, their 
communications on-going that might draw the attention to come 
back to harbor in any situations like that? 

Admiral Thomas. Well, as you know, our investigation of that 
particular casualty is just starting under the lead of the NTSB, and 
those questions will certainly be asked. It is really the human ele- 
ment: What information was looked at by whom and when? Gen- 
erally, though, a master of a ship of that size is not consulting with 
the Coast Guard with regard to his or her voyage planning. 

Ms. Jackson Lee. Is not consulting? 

Admiral Thomas. Is not consulting with the Coast Guard with 
regards to their voyage planning. Obviously, they are required to 
let us know when they tend to make a port call, but the voyage 
planning is something that is left to the ship’s master and the com- 
pany. 

But, as I said, our investigation with the NTSB will look into all 
of those factors, and we will be in a better position to let you know 
the specifics, hopefully in a few weeks. 

Ms. Jackson Lee. Thank you. 

Mrs. Miller. Thank you. 

Ms. Jackson Lee. Thank you, Mr. Hurd. 

Mrs. Miller. We thank the gentlelady for those comments. 

We began our meeting, actually — our hearing — by thanking the 
coastguardsmen and women for their extraordinary service in that 
incident. 

Thoughts and prayers, obviously, to all the families, the people 
that have been lost. 

So I want to thank the witnesses — all of you — for joining us 
today. I think it has been a very good hearing, a very timely sub- 
ject, one that is not going away. It is something that we have to 
pay an incredible amount of attention to. 

So the Members of the committee might have some additional 
questions for the witnesses, and I would ask you all to respond to 
those in writing if they do put those in writing. 
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Pursuant to the committee rule 7(e), the hearing record will be 
held open for 10 days. 

Without objection, thank you all again for attending. 

The committee stands adjourned. 

[Whereupon, at 11:30 a.m., the subcommittee was adjourned.] 

o 



